SELinux: the basic idea and how to debug

SELinux stores file context as objects which you can see with the -Z flag to ls or ps. Try to cp '/etc/hosts /home/$USER' and then 'mv /home/$USE/hosts /var/www/html' after editing it. The home context will stop Apache from serving the file. You'll see an error in /var/log/messages with what sealert options to run to see exactly what was blocked and how to fix it with restorecon.

Update: 11/24/10

Correction: A lot of the time restorecon won't fix it. Instead you'll need to change it with chcon. A typical example is when SELinux and Apache have a disagreement because you want to serve from a directory besides /var/www/, say /mnt/webapps/subversion for example. Even if you configure your httpd.conf to tell it that /mnt/webapps/subversion is a valid web directory it doesn't seem to work for permissions related reasons. The way to check this is to run:

ls -Z /var/www/html/
ls -Z /mnt/webapps/subversion

and see if you notice a difference. One difference that might been seen is the following:

unconfined_u:object_r:httpd_sys_content_t:s0
unconfined_u:object_r:mnt_t:s0

An easy way to fix this with chcon is:

chcon -R -t httpd_sys_content_t /mnt/webapps/subversion/