do I need SELinux?

Daniel J Walsh dwalsh at redhat.com
Sat Nov 13 12:37:38 UTC 2004 

Chris Hewitt wrote:

>On Sat, 2004-11-13 at 03:48, john bray wrote:
>  
>
>>On Fri, 2004-11-12 at 10:01 -0500, Daniel J Walsh plumb said:
>>    
>>
>>>Steven Stern wrote:
>>>
>>>      
>>>
>>>>On Fri, 12 Nov 2004 09:37:21 -0500, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>>
>>>> 
>>>>
>>>>        
>>>>
>>>>>So I would hope that people will work with it and not just turn it off 
>>>>>as soon as they have a problem
>>>>>with the system.
>>>>>   
>>>>>
>>>>>          
>>>>>
>>>>I haven't had any problems and assume it's working fine on my system.  But how
>>>>do I know?  Will something show up in logwatch if there's something to worry
>>>>about?  What syslog message prefix indicates a SELINUX targeted policy
>>>>message?
>>>>
>>>>(Yes, this is probably in the FAQ, so if you can point me to the right one,
>>>>I'll go off quiely and read it.)
>>>> 
>>>>
>>>>        
>>>>
>>>You might see some change in behavior of applications and usually AVC 
>>>messages in /var/log/messages.
>>>
>>>For the most part you probably will see nothing.
>>>
>>>sestatus shows you whether it is running or not.
>>>
>>>
>>>
>>>      
>>>
>>ok.   i got interested in checking this out.  so:
>>
>>[root at junior ntp]# grep AVC /var/log/message*
>>[root at junior ntp]# sestatus
>>SELinux status:         disabled
>>[root at junior ntp]#    
>>
>>
>>i thought that FC3 was defaulting to targeted?  this is an upgrade from
>>FC2 system, BTW.
>>
>>what do i have to do now, to get it turned on? 
>>    
>>
>
>John,
>
>An earlier poster said it is off by default on upgrades. GUI method:
>System Settings -> Security Level, SELinux tab, check Enabled and
>Enforcing, Policy should be Targeted. Command line method: edit
>/etc/selinux/config. Reboot (its kernel stuff so reboot unfortunately
>needed).
>
>I've got a fresh FC3 installation (not upgrade) and have a PHP
>application using either PostgreSQL or MySQL. As SELinux documentation
>indicates it should allow http/PHP to access MySQL I was not surprised
>that my application did not work with PostgreSQL, but it did not work
>with MySQL either. If I turn off SELinux then it is fine with either
>database. 
>
>I agree SELinux is a good idea (particularly for servers), but I have
>not yet found good documentation on the details of setting it up (with
>PostgreSQL in particular), maybe I simply need to look harder. Another
>previous poster hoped that we would work with SELinux to help it along,
>and I agree with this, but present time constraints make it so much
>easier for me to simply work with SELinux disabled.
>  
>
In stead of disabling SELinux please disable apache.  If you have a problem.

system-config-securitylevel can do this.  That way you can still run 
with SELinux without
Apache problems.

>Regards
>
>Chris
>
>  
>

More information about the users mailing list