Httpd not work after update system

Hi, I update system from 39 to 41.
Now when start httpd.service I have:

httpd: Could not open configuration file /etc/httpd/conf/httpd.conf: Permission denied

My httpd.conf is

-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0     12005 01-24 01:00 httpd.conf

Journal -xe:

AVC avc:  denied  { create } for  pid=13260 comm="httpd" scontext=system_u:system_r:publicfile_t>
kwi 09 22:25:34 localhost.localdomain audit[13260]: AVC avc:  denied  { create } for  pid=13260 comm="httpd" scontext=system_u:system_r:publicfile_t>
kwi 09 22:25:34 localhost.localdomain audit[13260]: AVC avc:  denied  { create } for  pid=13260 comm="httpd" scontext=system_u:system_r:publicfile_t>
kwi 09 22:25:34 localhost.localdomain audit[13260]: AVC avc:  denied  { search } for  pid=13260 comm="httpd" name="httpd" dev="sda5" ino=7471117 sco>
kwi 09 22:25:34 localhost.localdomain httpd[13260]: httpd: Could not open configuration file /etc/httpd/conf/httpd.conf: Permission denied

What can I do?

HTTPD is normally started from systemd which runs as init_t.

$ ps -p 1 -Z
LABEL                               PID TTY          TIME CMD
system_u:system_r:init_t:s0           1 ?        00:00:40 systemd

Maybe chcon -t bin_t <whatever-it-is-you-are-using-to-start-httpd>?

Edit: The httpd process itself should be running as httpd_t.

$ ps -Z -C httpd | grep -m 1 '_t'
system_u:system_r:httpd_t:s0       2447 ?        00:03:45 httpd

But in order for the process to achieve that end result, there must be a “transition” rule in SELinux for whatever context started httpd. init_t → httpd_t is allowed. publicfile_t → httpd_t apparently isn’t.

The files is usually world readable.

ls -l /etc/httpd/conf
total 28
-rw-r--r--. 1 root root 12005 Jan 24 00:00 httpd.conf
-rw-r--r--. 1 root root 13430 Jan 24 00:00 magic

If SELinux is blocking the process, wouldn’t the problem be a SELinux permission somewhere?

Gregory is correct, the problem here is the source context of your httpd executable. Are you not using the regular Fedora packaged httpd? If not, how did you deploy your copy?

Yeah, this generally shouldn’t happen with the Fedora packaged httpd unless someone does some manual relabelling for some reason. I haven’t seen this on my Fedora 41 httpd boxes.

@vgaetera’s suggestion of restorecon should fix this particular error. Not a bad idea to also run it against the docroot if you still have issues.

Ok when set:

chcon -t bin_t httpd

httpd start ok.
Is this solution good?

I have regular Fedora packaged httpd

It is potentially a solution. It probably isn’t the best solution because your web services are no longer running as httpd_t. There are now fewer protections against intrusion into your system via the HTTP ports.

Edit: Is there a reason you are not starting HTTPD from the systemd service manager (i.e. systemctl start httpd.service)?