[CentOS] After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine

Mon Nov 9 14:33:16 UTC 2015
Jonathan Billings <billings at negate.org>

On Mon, Nov 09, 2015 at 06:08:11AM -0800, Mark Milhollan wrote:
> It allows (even forces) a "dirty" environment to be provided to the 
> service (which is seldom wanted or expected), does not ensure that the 
> current tty cannot be the controlling tty for the service (which 
> sometimes matters) and leaves the CWD unchanged instead of ensuring / is 
> used (which sometimes matters).

A quick viewing of /sbin/service on C6 makes me think you might be
mistaken here.  There's clearly a 'cd /' and an 'env -i' there.  It
does preserve $PATH though (also $TERM), which I view as a dirty

> No revision of the service command took 
> place to cope with context when SELinux appeared and so the service 
> inherits the current context, usually unconfined (which is wildly 
> wrong).  Sometimes doing it this way is useful, but not often and when 
> it is one can invoke the service's init script directly.

I'm pretty sure that what happens is that service runs the service
scripts in /etc/rc.d/init.d/, which all have labels on them that
indicate what entrypoint type they run under, which is by default
'initrc_exec_t' but I see several have their own special label, such
as sshd having sshd_initrc_exec_t.  If 'service' were just sourcing
the init.d files instead of executing them, it would be different, but
it does execute them, and since the init scripts have an entrypoint
type to transition to the appropriate initrc domain.

Jonathan Billings <billings at negate.org>