FC4 documentation for apache + selinux ?

Daniel J Walsh dwalsh at redhat.com
Fri Jan 6 15:00:20 UTC 2006 

Paul Howarth wrote:
> Timothy Murphy wrote:
>> Paul Howarth wrote:
>>
>>
>>>> I looked at "Understanding and Customizing the Apache HTTP SELinux
>>>> Policy" at 
>>>> <http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>,
>>>> but the changes between FC3 and FC4 seemed to make much of this
>>>> irrelevant.
>>>>
>>>> Is there a corresponding document for FC4?
>>>
>>> Most of the principles remain the same in FC4. I think the biggest
>>> single thing that you need to remember is that FC4 uses the "targeted"
>>> policy by default, whilst the examples in the document are for the
>>> "strict" policy. Do the appropriate substitutions in examples and most
>>> things will work.
>>
>>
>> Some suggestions in this document which did not work for me under FC4.
>> (I did not run selinux under FC3.)
>>
>> 1) "Your first step is to install the httpd package, and probably the
>> httpd-suexec and httpd-manual packages."
>>
>> There does not seem to be an httpd-suexec rpm for FC4.
>
> The suexec program is contained within the main httpd package in FC4, 
> so that's indeed a difference.
>
>> 2)  By default, SELinux enforcement for Apache HTTP is enabled. To 
>> verify
>> this, run system-config-securitylevel, and view the SELinux tab. 
>> Click on
>> the Transition tree, and ensure that Disable SELinux protection for 
>> httpd
>> daemon is not checked.
>>
>> What is the "Transition tree"?
>> Does this mean the list of "Trusted services"?
>> (If so, why not say that??)
>>
>> In my case https and http have check-marks against them.
>> But what exactly does "Trusted services" mean?
>> Does it mean that selinux trusts these services,
>> and so does not concern itself with them?
>> Or does it mean the opposite,
>> that selinux _is_ looking after them?
>>
>> And what on earth does "Enforcing current Disabled" mean
>> when I click the SELinux tag?
>
> I can't answer these personally as I use the command-line tools rather 
> than the GUI. Hopefully Dan will follow up on that.
This indicates selinux is disabled on this machine.  If you want to turn 
on SELinux, you need to install selinux-targeted-policy
Make sure /etc/selinux/config has
SELINUX=enforcing (Or Permissive)
and
SELINUXTYPE=targeted
Also make sure you don't have selinux=0 in /etc/grub.conf

touch /.autorelabel and reboot. 


>
>> 3) " As a further check, use the command ps axZ | grep httpd.
>> You should see it running in the root_u:system_r:httpd_t  security 
>> context.
>> The important part of that is the third component, the httpd_t type."
>>
>> When I run this command, I do not get this response,
>> or anything like it:
>> -------------------------------
>> [tim at alfred ~]$ ps axZ | grep httpd
>> kernel                          13047 ?        Ss     0:00 
>> /usr/sbin/httpd
>> kernel                          24171 ?        S      0:00 
>> /usr/sbin/httpd
>> kernel                          24172 ?        S      0:00 
>> /usr/sbin/httpd
>> kernel                          24173 ?        S      0:00 
>> /usr/sbin/httpd
>> kernel                          24174 ?        S      0:00 
>> /usr/sbin/httpd
>> kernel                          24175 ?        S      0:00 
>> /usr/sbin/httpd
>> kernel                          13204 pts/3    S+     0:00 grep httpd
>> -------------------------------
>
> What's the output of:
>
> # getsebool -a | grep httpd
>
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list