FC4 documentation for apache + selinux ?
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 5 15:31:36 UTC 2006
On Thu, 2006-01-05 at 15:08 +0000, Timothy Murphy wrote:
> 2) By default, SELinux enforcement for Apache HTTP is enabled. To verify
> this, run system-config-securitylevel, and view the SELinux tab. Click on
> the Transition tree, and ensure that Disable SELinux protection for httpd
> daemon is not checked.
>
> What is the "Transition tree"?
> Does this mean the list of "Trusted services"?
> (If so, why not say that??)
Caveat: I rarely look at or use the GUI, but looking briefly at it, I
would say:
No, the "trusted services" list is for the firewall, not
SELinux-related. For SELinux settings, select the SELinux tab, go down
to the "Modify SELinux Policy" box, and expand HTTPD Service, then look
for "Disable SELinux protection for httpd daemon" and make sure it isn't
checked. I assume that it used to be called Transition tree at the time
that Colin wrote his document.
> And what on earth does "Enforcing current Disabled" mean
> when I click the SELinux tag?
Enforcing checkbox lets you toggle between Enforcing and Permissive
modes. The Current: info tells you the current status of SELinux, which
apparently is disabled on your system.
> The effect of clicking OK on leaving system-config-securitylevel
> on my desktop linked to the internet
> is to cut off access to the web from my laptop,
> even though the relevant device (/dev/eth2)
> is clicked under Trusted devices.
You shouldn't have to mark the device as trusted in order to perform
outbound connections. 'Trusted' in the firewall tab indicates trust for
inbound access, IIRC (again, not using this GUI myself). I have no
trusted services or devices marked.
>
> 3) " As a further check, use the command ps axZ | grep httpd.
> You should see it running in the root_u:system_r:httpd_t security context.
> The important part of that is the third component, the httpd_t type."
>
> When I run this command, I do not get this response,
> or anything like it:
> -------------------------------
> [tim at alfred ~]$ ps axZ | grep httpd
> kernel 13047 ? Ss 0:00 /usr/sbin/httpd
> kernel 24171 ? S 0:00 /usr/sbin/httpd
> kernel 24172 ? S 0:00 /usr/sbin/httpd
> kernel 24173 ? S 0:00 /usr/sbin/httpd
> kernel 24174 ? S 0:00 /usr/sbin/httpd
> kernel 24175 ? S 0:00 /usr/sbin/httpd
> kernel 13204 pts/3 S+ 0:00 grep httpd
> -------------------------------
This output suggests that no policy was loaded on your system.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list