Redhat – View, compare, and copy SELinux configurations between machines

I have two machines running the same JBoss and HTTPD setup. They started from the exact same install of RedHat 7 and the same process was followed to install everything on both machines.

On one machine, everything works perfectly fine with SELinux running with the default settings. I never touched SELinux on it.

On the other machine, when I try to access it in a web browser, I get 403 forbidden error messages. When I searched around online for why, I found a suggestion that I should disable SELinux on it and see if it works then. So I ran setenforce 0, restarted jboss and httpd, refreshed my browser, and the forbidden message went away, everything worked again. I flip SELinux back on with setenforce 1, restart the applications, refresh the browser, and the forbidden message is back.

So on my second machine, there definitely seems to somehow be something wrong with SELinux. It's weird, because I didn't touch SELinux on either machine until I tried turning it off on the second. I've verified that on the first machine, when I run getenforce, it does return Enforcing.

My question is – how can I view the SELinux configurations on each machine? How can I compare them, to find out where the differences are between them, and edit or copy them so that I can run SELinux on the second machine without interfering my apps, just like on my first machine?

Edit – I ran this command to search the audit logs:

cat /var/log/audit/audit.log | grep httpd | grep denied

The first line is repeated several times. The last two lines only showed up once at the very end.

type=AVC msg=audit(1468877854.297:22110): avc:  denied  { getattr } for  pid=5193 comm="httpd" path="/var/www/html/sfo/index.htm" dev="dm-0" ino=70334613 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1468877854.297:22111): avc:  denied  { read } for  pid=5193 comm="httpd" name="index.htm" dev="dm-0" ino=70334613 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1468877854.297:22111): avc:  denied  { open } for  pid=5193 comm="httpd" path="/var/www/html/sfo/index.htm" dev="dm-0" ino=70334613 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

I don't see any similar messages on the machine where SELinux is running without improperly blocking the page. Both machines have the same permission flags set for /var, /var/www, /var/www/html, /var/www/html/sfo, and /var/www/html/sfo/index.htm

All the directories have drwxr-xr-x, the index.htm file has -rw-r--r--. All are owned by user root and group root. md5sum says /etc/sudoers are identical. Nothing is in /etc/sudoers.d on either machine.

Both machines have the same output for getsebool -a | grep httpd:

httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off