Reviewed addition of SELinux info

Review of #186

diff --git a/content/docs/admin/filesystem-permissions.md b/content/docs/admin/filesystem-permissions.md
index bad7b6e04dcc811b55b5091ee0ceecbd68ea17fe..8fd0cafc983289b870e954d91c540a5a15c6692f 100644 (file)
--- a/content/docs/admin/filesystem-permissions.md
+++ b/content/docs/admin/filesystem-permissions.md
@@ -26,7 +26,7 @@ Additionally, you may want to ensure read access the `.env` file is limited as m
 
 This section provides an approach for setting permissions for your BookStack instance, which allows updating by the login user while providing the web-server with the required permissions.
 
-The below makes the following assumptions, **you will need to change these parts** of the command to make it work for you:
+The below makes the following assumptions, **you will need to change these parts** of the commands to make it work for you:
 
 - Your normal login user (That you may run updates with) is called `barry`.
 - Your BookStack install folder is located at `/var/www/bookstack`.
@@ -38,7 +38,7 @@ Lines starting with `#` are comments.
 # Set the bookstack folders and files to be owned by the user barry and have the group www-data
 sudo chown -R barry:www-data /var/www/bookstack
 
-# Set all bookstack files and folders to be readable, writeable & executable by the user (barry) and
+# Set all bookstack files and folders to be readable, writable & executable by the user (barry) and
 # readable & executable by the group and everyone else
 sudo chmod -R 755 /var/www/bookstack
 
@@ -49,15 +49,32 @@ sudo chmod -R 775 /var/www/bookstack/storage /var/www/bookstack/bootstrap/cache
 sudo chmod 640 /var/www/bookstack/.env
 ```
 
-When using SELinux, you may still encounter access denied errors: you may additionally need to add a type label to your install files.
+### SELinux
 
-The following assumes your webserver uses the `httpd_sys_content_t` for readonly files and `httpd_sys_rw_content_t` for read-write files.
+SELinux, commonly found on RHEL-based systems, can be a factor for filesystem access in some cases.
+You can often check if SELinux is blocking file access by watching the relevant log while reproducing an action in BookStack
+which causes an error to occur, via something like the following (Ctrl+C to stop watching):
+
+```bash
+sudo tail -f /var/log/audit/audit.log
+```
+
+Alternatively you could temporarily disable SELinux to check if any issues are resolved with SELinux inactive.
+If SELinux appears to be the problem, you may additionally need to add a type label to your install files.
+The below commands show an example of applying SElinux labels on a BookStack installation.
+
+The below makes the following assumptions, **you will need to change these parts** of the commands to make it work for you:
+
+- Your BookStack install folder is located at `/var/www/bookstack`.
+- Your web-server uses the `httpd_sys_content_t` for readonly files and `httpd_sys_rw_content_t` for read-write files.
+
+Lines starting with `#` are comments.
 
 ```bash
 # Set the httpd_sys_content_t type on all bookstack files
 semanage fcontext -a -t httpd_sys_content_t    '/var/www/bookstack(/.*)?'
 
-# Also set the httpd_sys_rw_content_t type on all directories that will need need read-write access
+# Set the httpd_sys_rw_content_t type on all directories that will need need read-write access
 semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/bookstack/storage(/.*)?'
 semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/bookstack/bootstrap/cache(/.*)?'
 semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/bookstack/public/uploads(/.*)?'
@@ -65,5 +82,3 @@ semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/bookstack/public/upload
 # Apply the changes
 restorecon -R /var/www/bookstack
 ```
-
-