Damn you SELInux

I’ve been struggling for a few days, off and on, with an issue. Trying to do a proof of concept running httpd as a reverse proxy to a static site on S3. I have something similar working but using NGINX on Ubuntu. This is httpd on Alma.

I created a local VM and proceeded to configure things. Used the local /etc/hosts file to trick DNS into resolving to the local VM. I kept getting 502 Bad Gateway errors.

I confirmed I could curl the static S3 site just fine, so why the 502 Bad Gateway error?

Was it the firewall? I’ll disable it. 502

Is it DNS? The error in the httpd logs show seemingly incorrect IPs. 502

Let me try the same thing with NGINX. 502


Oh…my…god. SELinux status? Permissive.


Disable SELinux. Reboot. 200

I feel better now.

1 Like
  • Horrible
  • Piece
  • Of
  • Crap

I’ve never seen a single good use case for it…

Back in EL7 (in this case OEL7) if you changed one of the SELinux profiles - WITHOUT installing the package that profile required - the piece of crap wouldn’t boot! Doh! You’d a thunk it might try and warn you, or heaven forbid - INSTALL the package it needs - but not!

What a steaming pile of …


Wow. Shaking my head.

I’m a much bigger fan of Ubuntu and other variants that use AppArmor. I’ve read it isn’t as comprehensive, but if a huge percentage of people end up disabling SELinux it doesn’t any good at all.


I think I had to boot in single user mode (from Grub prompt in the VMware guest console) - edit /etc/sysconfig/selinux.conf and comment out my change, and uncomment the original line - then reboot - then - install the RPM from YUM that the more permissive SELinux profile required… How dumb is that?