FC4 documentation for apache + selinux ?

Stephen Smalley sds at tycho.nsa.gov
Thu Jan 5 15:31:36 UTC 2006 

On Thu, 2006-01-05 at 15:08 +0000, Timothy Murphy wrote:
> 2)  By default, SELinux enforcement for Apache HTTP is enabled. To verify
> this, run system-config-securitylevel, and view the SELinux tab. Click on
> the Transition tree, and ensure that Disable SELinux protection for httpd
> daemon is not checked.
> 
> What is the "Transition tree"?
> Does this mean the list of "Trusted services"?
> (If so, why not say that??)

Caveat:  I rarely look at or use the GUI, but looking briefly at it, I
would say:

No, the "trusted services" list is for the firewall, not
SELinux-related.  For SELinux settings, select the SELinux tab, go down
to the "Modify SELinux Policy" box, and expand HTTPD Service, then look
for "Disable SELinux protection for httpd daemon" and make sure it isn't
checked.  I assume that it used to be called Transition tree at the time
that Colin wrote his document.

> And what on earth does "Enforcing current Disabled" mean
> when I click the SELinux tag?

Enforcing checkbox lets you toggle between Enforcing and Permissive
modes.  The Current: info tells you the current status of SELinux, which
apparently is disabled on your system.

> The effect of clicking OK on leaving system-config-securitylevel
> on my desktop linked to the internet
> is to cut off access to the web from my laptop,
> even though the relevant device (/dev/eth2)
> is clicked under Trusted devices.

You shouldn't have to mark the device as trusted in order to perform
outbound connections.  'Trusted' in the firewall tab indicates trust for
inbound access, IIRC (again, not using this GUI myself).  I have no
trusted services or devices marked.
> 
> 3) " As a further check, use the command ps axZ | grep httpd.
> You should see it running in the root_u:system_r:httpd_t  security context.
> The important part of that is the third component, the httpd_t type."
> 
> When I run this command, I do not get this response,
> or anything like it:
> -------------------------------
> [tim at alfred ~]$ ps axZ | grep httpd
> kernel                          13047 ?        Ss     0:00 /usr/sbin/httpd
> kernel                          24171 ?        S      0:00 /usr/sbin/httpd
> kernel                          24172 ?        S      0:00 /usr/sbin/httpd
> kernel                          24173 ?        S      0:00 /usr/sbin/httpd
> kernel                          24174 ?        S      0:00 /usr/sbin/httpd
> kernel                          24175 ?        S      0:00 /usr/sbin/httpd
> kernel                          13204 pts/3    S+     0:00 grep httpd
> -------------------------------

This output suggests that no policy was loaded on your system.

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list