SELinux, F8, and httpd

Daniel J Walsh dwalsh at
Thu Feb 28 03:44:23 UTC 2008

Hash: SHA1

Nathan Grennan wrote:
>  How do I disable SELinux completely for httpd? In F7 from what I have
> read it was "setsebool -P httpd_disable_trans 1". I get the errors below
> when I try that. I looked in the policy files and couldn't find any
> reference of it. I looked in system-config-selinux, and only found
> options to tweak small aspects of SELinux for httpd, but not completely
> disable it. I also notice there doesn't seem to be options to disable
> selinux for any service. Not having a per service disable option means
> your only recourse in some situations is simply to put SELinux in
> permissive mode.
> libsemanage.dbase_llist_set: record not found in the database
> libsemanage.dbase_llist_set: could not set record value
> Could not change boolean httpd_disable_trans
> Could not change policy booleans
>  I want to disable httpd, because I don't want to have to run restorecon
> ~/public_html/dir if I move a directory from ~/ to ~/public_html. I find
> the whole idea of restorecon funny. It isn't like chown or chmod where
> you give it options telling it what to change it to. It is just supposed
> to fall back on policy. So why not just have the system automatically
> set the default policy on the move? You can say, but there is chcon, but
> even if you use it to hand set something, if you restorecon or relabel
> on boot are have used in the future it is likely going to wipe any
> changes made with chcon.
chcon is just like chown or chmod, and actually change a file context to
httpd_sys_content_t will survive a relabel, which you really should not
need to do.  If you cp the contents of the directory they should adopt
the context of the destination directory. Also you could use restorecond
to watch for the creation of files in the directory.

*_disable_trans was removed because it caused as many problems as it
solved.  When you disable trans on one domain, you can cause other
domains to to blow up because file context gets screwed up.

If you really want to disable trans you could change the context of
httpd to bin_t.   chcon -t bin_t /usr/sbin/httpd, but this will not
survive a relabel.  We are hoping to add permissive domains pretty soon,
where you define httpd as a permissive domain, and it would only report
access problems and not enforce them.

Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the fedora-list mailing list