Description of problem: It the apache web server is started directly, instead of from the /etc/init.d/httpd script, then it runs as unconfined_t instead of httpd_t Steps to Reproduce: 1. Shut down apache with 'service httpd stop' 2. Start apache directly by executing /usr/sbin/httpd as root 3. Check the selinux context via ps -axZ and/or tail /var/log/httpd/error_log|grep SELinux Actual results: Apache is not under selinux control when started as above. If you then do 'sevice httpd restart', the web server will run as httpd_t under control of the targeted policy again. Expected results: Apache should run in the httpd_t domain no matter how it is started up. As it stands, it seems to depend on the selinux context of the init.d/httpd script being set to: httpd_script_exec_t in *addition* to /usr/sbin/httpd being set to httpd_exec_t Additional info: You get very weird behavior if the context of the init.d/httpd file gets changed (e.g, if you try to edit the script - this is what happened to me). On bootup, apache will start under httpd_t (I'm guessing this has to do with some special parts of the policy that take effect at that time), but if you later do 'service httpd restart' to re-start the web server, then apache will no longer be under selinux control. If you do 'ls -Z /usr/sbin/httpd' it appears that the server *should* start correctly. This gives the appearance of something that works at startup, but 'breaks' if you stop and re-start it, and can only be 'fixed' by re-booting the whole system. This is normal, expected behavior for the operating systems from Redmund, but it is kind of disconcerting to see it occur under Linux!
This seems like you have a labeling problem. SELinux relies on file labels to start applications correctly. /sbin/init -> init_exec_t -> init_t init_t -> Starts init scripts labeled initrc_exec_t -> initrc_t initrc_t -> Starts httpd labeled httpd_exec_t -> httpd_t If any of these labels are wrong, this will not happen. We decided long ago not to automatically transition unconfined_t -> httpd_exec_t -> httpd_t. This is to allow debugging, so you should always start via the init scripts or apachectl. I would guess that you have a labeling problem in your initscripts restorecon -R -v /etc/rc.d