TL;DR — If you’re not running an xlxd based reflector using SELinux you can skip this post.
I recently migrated the XLX reflector from Debian Stretch to Fedora FC30. Debian is the platform recommended by the software author, but xlxd runs fine under Fedora as well. However, since I’m running with SELinux enabled, there were a couple of issues to tackle.
SELinux tags filesystem elements with a security context and in some cases, xlxd fails to access certain files for which it does not have authorization. There are three files that will require some special attention.
xlxd.pid -- contains the running process number
xlxd.log -- the XML log file used by the dashboard
callinghome.php -- contains the hash value used for registration
In my system, the files are installed in the following directories:
I had to create new rules to put the files in the correct security contexts.
semanage fcontext -a -t httpd_sys_content_t /var/log/xlxd.xml
semanage fcontext -a -t httpd_sys_content_t /var/run/xlxd.pid
semanage fcontext -a -t httpd_sys_rw_content_t \
One issue I discovered is that the contexts do not handle the creation of a new file. For that, I installed restorecond. This system daemon watches for specified files to be created and relabels the security context.
dnf install restorecon
Then, add the 3 fully pathed file names to /etc/selinux/targeted/contexts/files/file_contexts.local. Restart the restorecond service and you’re ready to start the xlxd, httpd, and php-fpm services.
A very useful command is ls -lZ. On an SELinux enabled system it will list the security context labels for each file.
-rwxrwxrwx. 1 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 66 May 16 14:12 callinghome.php
Another useful command is restorecon. RTFM.