FC4 documentation for apache + selinux ?

Paul Howarth paul at city-fan.org
Thu Jan 5 15:17:10 UTC 2006


Timothy Murphy wrote:
> Paul Howarth wrote:
> 
> 
>>>I looked at "Understanding and Customizing the Apache HTTP SELinux
>>>Policy" at <http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>,
>>>but the changes between FC3 and FC4 seemed to make much of this
>>>irrelevant.
>>>
>>>Is there a corresponding document for FC4?
>>
>>Most of the principles remain the same in FC4. I think the biggest
>>single thing that you need to remember is that FC4 uses the "targeted"
>>policy by default, whilst the examples in the document are for the
>>"strict" policy. Do the appropriate substitutions in examples and most
>>things will work.
> 
> 
> Some suggestions in this document which did not work for me under FC4.
> (I did not run selinux under FC3.)
> 
> 1) "Your first step is to install the httpd package, and probably the
> httpd-suexec and httpd-manual packages."
> 
> There does not seem to be an httpd-suexec rpm for FC4.

The suexec program is contained within the main httpd package in FC4, so 
that's indeed a difference.

> 2)  By default, SELinux enforcement for Apache HTTP is enabled. To verify
> this, run system-config-securitylevel, and view the SELinux tab. Click on
> the Transition tree, and ensure that Disable SELinux protection for httpd
> daemon is not checked.
> 
> What is the "Transition tree"?
> Does this mean the list of "Trusted services"?
> (If so, why not say that??)
> 
> In my case https and http have check-marks against them.
> But what exactly does "Trusted services" mean?
> Does it mean that selinux trusts these services,
> and so does not concern itself with them?
> Or does it mean the opposite,
> that selinux _is_ looking after them?
> 
> And what on earth does "Enforcing current Disabled" mean
> when I click the SELinux tag?

I can't answer these personally as I use the command-line tools rather 
than the GUI. Hopefully Dan will follow up on that.

> 3) " As a further check, use the command ps axZ | grep httpd.
> You should see it running in the root_u:system_r:httpd_t  security context.
> The important part of that is the third component, the httpd_t type."
> 
> When I run this command, I do not get this response,
> or anything like it:
> -------------------------------
> [tim at alfred ~]$ ps axZ | grep httpd
> kernel                          13047 ?        Ss     0:00 /usr/sbin/httpd
> kernel                          24171 ?        S      0:00 /usr/sbin/httpd
> kernel                          24172 ?        S      0:00 /usr/sbin/httpd
> kernel                          24173 ?        S      0:00 /usr/sbin/httpd
> kernel                          24174 ?        S      0:00 /usr/sbin/httpd
> kernel                          24175 ?        S      0:00 /usr/sbin/httpd
> kernel                          13204 pts/3    S+     0:00 grep httpd
> -------------------------------

What's the output of:

# getsebool -a | grep httpd

Paul.




More information about the fedora-selinux-list mailing list