Running the provided AVC messages through audit2allow does suggest that, yes:
However that doesn't automagically mean one should. Best check for any related booleans first IMHO:

I thought about what chris suggested but that will cause issues with apache having access to the files due to selinux being enforeced. If it was in permissive mode or disabled it would work with the public_content_rw_t

Enable the boolean i suggested and it will work. No need to modify the context of the directories or files here.

Perfect chrism01! Once you pointed out I didn't need the <> and I referenced Chap 44, your suggestion worked in conjunction with the change to the booleans from post #8 (as you also suggested). No reboot needed.

For others in a similar situation, I'll summarize what I did in the end:

I then I was able to drag and drop in FileZilla from my remote local to my server's /var/www/html without the 553 error which started all of this. Afterwards, I checked

which told me my upload was sucessful while still having SELinux enabled.

Lastly, per unSpawns request here are the resulting booleans:

I take it that these are typical and satisfactory?

Yes that looks satisfactory. Is apache still able to serve your web files now that you have modified the directory selinux context? from my past experience it shouldnt work if selinux is in enforcing mode. just want to double check

Just checked and with sestatus reporting that SELinux is enabled / enforcing, I can still successfully access:

• the Apache test page
• a test index.php that I uploaded /var/www/html/
• and phpMySQL

I've did a lot of monkeying around trying to solve my initial problem before posting my initial question, so perhaps I did something that I haven't described that makes my system is behaving differently than what you expected. Now that I've installed LAMP once, I have half a mind to so a completely fresh install to help set the process in my mind.

Thanks to everyone for getting me over this hump. What a great community.

Before I close the thread as solved, I've been researching how to give the same rw access to not just /var/www/html/ but all subsequent dir I put into it as any additional dir I've made such as /var/www/html/testdir/ all report the original 553 ftp error when I try to upload into it.

I've tried variations of:

as I thought the -R would give me recursive access to all child dirs of html, but that hasn't been the case.

The -R is a recursive option, but remember that there are multiple attributes in selinux. The -t is the type context, you also have user and role which play a factor. Do an ls -Z on the new directory and compare to the the others

You can actually check them yourself against what nfo 'man ftpd_selinux' offers.


I use a log file to jot down changes by date. When a problem occurs it's easier to look for clues in a file than having to rely on memory alone. Plus revision control makes it easy to revert configuration should it be necessary.


If learning to do things properly and verifying what you learned is applicable as a standard procedure then I can only applaud that.


The easiest way would be to apply the 'semanage fcontext' command chrism01 mentioned in post #11 (also in 'man ftpd_selinux' BTW) first. That adds a permanent record (to /etc/selinux/${POLICYNAME}/contexts/files/file_contexts.local) so that when you create a file or directory it starts out with the right context and that when the 'restorecond' service comes across it it won't revert the context back to what it knows it is.

Thanks. I also just realized that anytime I create new directories within /var/www/html/ I also need to change the GROUP to apache and set the permissions to 755 if I want the FTP via httpd to be able to read/write to them. I'm currently doing this by:

# chown -R MYUSERNAME:apache /var/www/html/

# chmod 755 -R /var/www/html/

I still need to figure out how to set the "Folder Access" to read and write via the command line, but as I can currently do that via GNOME by right clicking a folder and clicking PERMISSIONS->and changing the GROUPS folder access to CREATE & DELETE manualy, I'll consider my problem solved and work on the rest by myself.

Thanks again for your help guys!

Your chmod command changes your permissions here is how the chmod goes.

There are actually 4 numeric permission digits, when you only specify 3 as is the usual case a leading 0 is appended.

Ignore the first digit for now, its used for special permissions such as a sitcky bit

Your numerical permissions are as follows:

4 = read
2 = write
1 = execute

So if you do the math.

7 = 4+2+1 = read+write+execute
5 = 4+1 = read+execute
6 = 4+2 = read+write


The location of the numeric digit indicates which set of permissions to apply.

So you have

chmod 755

The first digit is your owner the second digit is your group and the last digit is everyone else that is not a the owner of the file or a member of the group on the file.

Actually, in my RH manual it says to try chcon first, then test it, then semanage to fix it in place.
Basically, chcon will last until an SELinux relabel occurs. semanage (as explained by unSpawn) actually alters the SELinux Policy, so that the change will even survive an SELinux relabel.

This solution works for me:

With that 3 parameters everything is working.

a 5 year old nekro post panga

5 years later - today -
the SElinux kernel almost never gives me issues except for a NEW system install on new hardware and the initial set up of NON standard software