applying SELinux policy for httpd
Joe Orton
jorton at redhat.com
Thu Nov 3 13:33:30 UTC 2005
On Fri, Nov 04, 2005 at 12:11:50AM +1100, Russell Coker wrote:
> On Thursday 03 November 2005 21:15, Joe Orton <jorton at redhat.com> wrote:
> > I'd also like to mention again that the new FC4 policy of only applying
> > SELinux policy if httpd is started from the init script is confusing the
> > hell out of people. It breaks the principle of least astonishment. I'd
> > much rather live with the fact that SELinux policy is *always* applied,
> > and the fallout from that, than see this confusion of people hitting
> > SELinux policy issues, get confused, restart httpd, see them disappear,
> > etc.
>
> That would be a bug not a feature.
>
> I've tried to reproduce your problem but I can't. I installed a FC4 machine
> and updated it to selinux-policy-targeted-1.27.1-2.11 and
> kernel-2.6.13-1.1532_FC4. I tried both with and without httpd_disable_trans
> set, in both cases the same domain was used for the httpd regardless of
> whether it was started by system boot scripts or the administrator.
[root at jolt ~]# service httpd start
Starting httpd: [ OK ]
[root at jolt ~]# ps -Z -C httpd
LABEL PID TTY TIME CMD
root:system_r:httpd_t 4027 ? 00:00:00 httpd
root:system_r:httpd_t 4029 ? 00:00:00 httpd
...
[root at jolt ~]# service httpd stop
Stopping httpd: [ OK ]
[root at jolt ~]# httpd -k start
[root at jolt ~]# ps -Z -C httpd
LABEL PID TTY TIME CMD
root:system_r:unconfined_t 4059 ? 00:00:00 httpd
root:system_r:unconfined_t 4060 ? 00:00:00 httpd
root:system_r:unconfined_t 4061 ? 00:00:00 httpd
...
[root at jolt ~]# rpm -q httpd fedora-release selinux-policy-targeted
httpd-2.0.54-10.2
fedora-release-4-2
selinux-policy-targeted-1.27.1-2.11
More information about the fedora-selinux-list
mailing list