FC4 documentation for apache + selinux ?
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 6 15:00:20 UTC 2006
Paul Howarth wrote:
> Timothy Murphy wrote:
>> Paul Howarth wrote:
>>
>>
>>>> I looked at "Understanding and Customizing the Apache HTTP SELinux
>>>> Policy" at
>>>> <http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>,
>>>> but the changes between FC3 and FC4 seemed to make much of this
>>>> irrelevant.
>>>>
>>>> Is there a corresponding document for FC4?
>>>
>>> Most of the principles remain the same in FC4. I think the biggest
>>> single thing that you need to remember is that FC4 uses the "targeted"
>>> policy by default, whilst the examples in the document are for the
>>> "strict" policy. Do the appropriate substitutions in examples and most
>>> things will work.
>>
>>
>> Some suggestions in this document which did not work for me under FC4.
>> (I did not run selinux under FC3.)
>>
>> 1) "Your first step is to install the httpd package, and probably the
>> httpd-suexec and httpd-manual packages."
>>
>> There does not seem to be an httpd-suexec rpm for FC4.
>
> The suexec program is contained within the main httpd package in FC4,
> so that's indeed a difference.
>
>> 2) By default, SELinux enforcement for Apache HTTP is enabled. To
>> verify
>> this, run system-config-securitylevel, and view the SELinux tab.
>> Click on
>> the Transition tree, and ensure that Disable SELinux protection for
>> httpd
>> daemon is not checked.
>>
>> What is the "Transition tree"?
>> Does this mean the list of "Trusted services"?
>> (If so, why not say that??)
>>
>> In my case https and http have check-marks against them.
>> But what exactly does "Trusted services" mean?
>> Does it mean that selinux trusts these services,
>> and so does not concern itself with them?
>> Or does it mean the opposite,
>> that selinux _is_ looking after them?
>>
>> And what on earth does "Enforcing current Disabled" mean
>> when I click the SELinux tag?
>
> I can't answer these personally as I use the command-line tools rather
> than the GUI. Hopefully Dan will follow up on that.
This indicates selinux is disabled on this machine. If you want to turn
on SELinux, you need to install selinux-targeted-policy
Make sure /etc/selinux/config has
SELINUX=enforcing (Or Permissive)
and
SELINUXTYPE=targeted
Also make sure you don't have selinux=0 in /etc/grub.conf
touch /.autorelabel and reboot.
>
>> 3) " As a further check, use the command ps axZ | grep httpd.
>> You should see it running in the root_u:system_r:httpd_t security
>> context.
>> The important part of that is the third component, the httpd_t type."
>>
>> When I run this command, I do not get this response,
>> or anything like it:
>> -------------------------------
>> [tim at alfred ~]$ ps axZ | grep httpd
>> kernel 13047 ? Ss 0:00
>> /usr/sbin/httpd
>> kernel 24171 ? S 0:00
>> /usr/sbin/httpd
>> kernel 24172 ? S 0:00
>> /usr/sbin/httpd
>> kernel 24173 ? S 0:00
>> /usr/sbin/httpd
>> kernel 24174 ? S 0:00
>> /usr/sbin/httpd
>> kernel 24175 ? S 0:00
>> /usr/sbin/httpd
>> kernel 13204 pts/3 S+ 0:00 grep httpd
>> -------------------------------
>
> What's the output of:
>
> # getsebool -a | grep httpd
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list