How do I tell if SELinux is working?

Tue Jul 5 02:58:01 UTC 2005

On Wed, 22 Jun 2005, Colin Walters wrote:

> On Wed, 2005-06-22 at 18:45 -0400, Jon August wrote:
>> httpd is running with type:
>>
>> root:system_r:unconfined_t
>>
>> What does this mean?  Is httpd a vulnerability on this machine?
>
> This means that httpd is not confined by the SELinux policy.  This means
> you have less protection against a compromise or misconfiguration of
> httpd or CGI scripts.
>
> Since the default is for it to be enabled, someone (possibly you)
> disabled SELinux protection for httpd; you can reenable it by using
> system-config-securitylevel (or
> "setsebool -P httpd_disable_trans=false").

Strange, on one computer httpd runs with:

root:system_r:httpd_t           11845 ?        Ss     0:00 /usr/sbin/httpd
but if I do setsebool -P httpd_disable_trans 0 on an other computer I get

[root at flashdance ny]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: /usr/sbin/httpd: error while loading shared libraries: 
libpcre.so.0: cannot open shared object file: Permission denied
                                                            [FAILED]
On both computers the selinux perms are:

[iocc at flashdance texts]$ ll -Z /lib/libpcre.so.0*
lrwxrwxrwx  root     system_u:object_r:lib_t          /lib/libpcre.so.0 -> 
libpcre.so.0.0.1
-rwxr-xr-x  root     system_u:object_r:shlib_t        /lib/libpcre.so.0.0.1

Im not sure that I get that :)

Just to get it working I did this on the other computer:

[root at flashdance ny]# setsebool -P httpd_disable_trans 1
[root at flashdance ny]# /etc/init.d/httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [  OK  ]

Why doesnt httpd_disable_trans 0 work with apache on one computer?