How do I tell if SELinux is working?
Peter Magnusson
iocc at fedora-selinux.lists.flashdance.cx
Tue Jul 5 02:58:01 UTC 2005
On Wed, 22 Jun 2005, Colin Walters wrote:
> On Wed, 2005-06-22 at 18:45 -0400, Jon August wrote:
>> httpd is running with type:
>>
>> root:system_r:unconfined_t
>>
>> What does this mean? Is httpd a vulnerability on this machine?
>
> This means that httpd is not confined by the SELinux policy. This means
> you have less protection against a compromise or misconfiguration of
> httpd or CGI scripts.
>
> Since the default is for it to be enabled, someone (possibly you)
> disabled SELinux protection for httpd; you can reenable it by using
> system-config-securitylevel (or
> "setsebool -P httpd_disable_trans=false").
Strange, on one computer httpd runs with:
root:system_r:httpd_t 11845 ? Ss 0:00 /usr/sbin/httpd
but if I do setsebool -P httpd_disable_trans 0 on an other computer I get
[root at flashdance ny]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: /usr/sbin/httpd: error while loading shared libraries:
libpcre.so.0: cannot open shared object file: Permission denied
[FAILED]
On both computers the selinux perms are:
[iocc at flashdance texts]$ ll -Z /lib/libpcre.so.0*
lrwxrwxrwx root system_u:object_r:lib_t /lib/libpcre.so.0 ->
libpcre.so.0.0.1
-rwxr-xr-x root system_u:object_r:shlib_t /lib/libpcre.so.0.0.1
Im not sure that I get that :)
Just to get it working I did this on the other computer:
[root at flashdance ny]# setsebool -P httpd_disable_trans 1
[root at flashdance ny]# /etc/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
Why doesnt httpd_disable_trans 0 work with apache on one computer?
More information about the fedora-selinux-list
mailing list