-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nathan Grennan wrote:
How do I disable SELinux completely for httpd? In F7 from what I
have
read it was "setsebool -P httpd_disable_trans 1". I get the errors below
when I try that. I looked in the policy files and couldn't find any
reference of it. I looked in system-config-selinux, and only found
options to tweak small aspects of SELinux for httpd, but not completely
disable it. I also notice there doesn't seem to be options to disable
selinux for any service. Not having a per service disable option means
your only recourse in some situations is simply to put SELinux in
permissive mode.
libsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean httpd_disable_trans
Could not change policy booleans
I want to disable httpd, because I don't want to have to run restorecon
~/public_html/dir if I move a directory from ~/ to ~/public_html. I find
the whole idea of restorecon funny. It isn't like chown or chmod where
you give it options telling it what to change it to. It is just supposed
to fall back on policy. So why not just have the system automatically
set the default policy on the move? You can say, but there is chcon, but
even if you use it to hand set something, if you restorecon or relabel
on boot are have used in the future it is likely going to wipe any
changes made with chcon.
chcon is just like chown or chmod, and actually change a
file context to
httpd_sys_content_t will survive a relabel, which you really should not
need to do. If you cp the contents of the directory they should adopt
the context of the destination directory. Also you could use restorecond
to watch for the creation of files in the directory.
*_disable_trans was removed because it caused as many problems as it
solved. When you disable trans on one domain, you can cause other
domains to to blow up because file context gets screwed up.
If you really want to disable trans you could change the context of
httpd to bin_t. chcon -t bin_t /usr/sbin/httpd, but this will not
survive a relabel. We are hoping to add permissive domains pretty soon,
where you define httpd as a permissive domain, and it would only report
access problems and not enforce them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkfGLhcACgkQrlYvE4MpobPi5gCgh0FGd8wRkSwZyGo5omA+6k7U
KTUAn3/a5d4jY187Dmpwf1vrFWtE2pFe
=1s8G
-----END PGP SIGNATURE-----