This wiki https://wiki.centos.org/HowTos/SELinux is a good intro to SELinux. This gives just about enough info to troubleshoot apache/drupal/selinux.
A fuller understanding can be gained here: http://fedoraproject.org/wiki/SELinux/Understanding. This starts with the basics - recommended!
The selinux policy for apache is documented here: https://fedoraproject.org/wiki/SELinux/apache.
Apache runs under the httpd_t type domain. Files apache requires access to need to be in this domain too.
To give the files the correct type (ie, re-label the files), I ran:
#chcon -R -t httpd_sys_content_t /var/www/vhosts/example.net.nz/drupal-8.x/web/
#chcon -R -t httpd_sys_content_rw_t /var/www/vhosts/example.net.nz/drupal-8.x/web/sites/example.net.nz/files
#chcon -R -t httpd_sys_content_t /var/www/vhosts/example.net.nz/private
#chcon -R -t httpd_sys_content_t /var/www/vhosts/example.net.nz/drupal-8.x/web/sites/example.net.nz/files/.htaccess
#chcon -R -t httpd_sys_content_t /var/www/vhosts/example.net.nz/drupal-8.x/vendor
This may be more permissive than ultimately desirable, but it seems better than setting SELinux to permissive.
This needs doing for all virtual hosts. A script will assist.
A policy also needs setting for these. The tool which I have dabbled with is system-config-selinux, which seems to be installed via dnf install policycoreutils-gui .