do I need SELinux?
Chris Hewitt
fedlist at manordata.uklinux.net
Sat Nov 13 13:12:30 UTC 2004
On Sat, 2004-11-13 at 03:48, john bray wrote:
> On Fri, 2004-11-12 at 10:01 -0500, Daniel J Walsh plumb said:
> > Steven Stern wrote:
> >
> > >On Fri, 12 Nov 2004 09:37:21 -0500, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > >
> > >
> > >
> > >>So I would hope that people will work with it and not just turn it off
> > >>as soon as they have a problem
> > >>with the system.
> > >>
> > >>
> > >
> > >I haven't had any problems and assume it's working fine on my system. But how
> > >do I know? Will something show up in logwatch if there's something to worry
> > >about? What syslog message prefix indicates a SELINUX targeted policy
> > >message?
> > >
> > >(Yes, this is probably in the FAQ, so if you can point me to the right one,
> > >I'll go off quiely and read it.)
> > >
> > >
> > You might see some change in behavior of applications and usually AVC
> > messages in /var/log/messages.
> >
> > For the most part you probably will see nothing.
> >
> > sestatus shows you whether it is running or not.
> >
> >
> >
>
> ok. i got interested in checking this out. so:
>
> [root at junior ntp]# grep AVC /var/log/message*
> [root at junior ntp]# sestatus
> SELinux status: disabled
> [root at junior ntp]#
>
>
> i thought that FC3 was defaulting to targeted? this is an upgrade from
> FC2 system, BTW.
>
> what do i have to do now, to get it turned on?
John,
An earlier poster said it is off by default on upgrades. GUI method:
System Settings -> Security Level, SELinux tab, check Enabled and
Enforcing, Policy should be Targeted. Command line method: edit
/etc/selinux/config. Reboot (its kernel stuff so reboot unfortunately
needed).
I've got a fresh FC3 installation (not upgrade) and have a PHP
application using either PostgreSQL or MySQL. As SELinux documentation
indicates it should allow http/PHP to access MySQL I was not surprised
that my application did not work with PostgreSQL, but it did not work
with MySQL either. If I turn off SELinux then it is fine with either
database.
I agree SELinux is a good idea (particularly for servers), but I have
not yet found good documentation on the details of setting it up (with
PostgreSQL in particular), maybe I simply need to look harder. Another
previous poster hoped that we would work with SELinux to help it along,
and I agree with this, but present time constraints make it so much
easier for me to simply work with SELinux disabled.
Regards
Chris
More information about the fedora-list
mailing list