How best get rid of SELinux?
Beartooth
Beartooth at swva.net
Sun Sep 23 16:17:23 UTC 2007
On Sun, 23 Sep 2007 02:26:47 -0500, Arthur Pemberton wrote:
> On 9/23/07, Tim <ignored_mailbox at yahoo.com.au> wrote:
>> That PNG is user user, object role, HTTP system content type? WTF!
>> What the hell is an object role, and how is a PNG file a system
>> anything?
>
> 1) check man selinux
God give me strength.
Type "man:selinux" into Konqueror (in order to get it into a
format which is even legible; man anything on a terminal either shatters,
or has to be in a font so small that not even a magnifying glass helps --
typical ...)
You get a choice of plain "man selinux" or fifteen (count 'em --
fifteen) other man pages. None of them contains "httpd," -- in case I
know a fraction of what Tim does, and can guess I want that. So I go
ahead and try to actually slog through the plain command's page.
The first thing I see is a link to the selinux page at NSA. I
click on it -- hoping to tell at a glance whether to read it first, or
leave it for if&when. I get no pointer to anything, but the fanciest "not
found" message in known space.
Being a hardened sinner, I waste three minutes studying that, and
notice that the link ends a sentence. Sure enough. clicking is picking up
the period -- and the NSA page (the ultimate electronic bureaucrat?)
doesn't think to try ignoring the period.
So I c&p the link into another tab, delete the period manually,
and it links. GoddlemityDAM!
Turns out selinux is a whole nuther branch of computer science.
(Makes sense, actually : NoSuchAgency if anybody oughtta have such a
thing. I'm not NSA.)
So I leave that tab, take a deep breath, and resume trying to
read the man page for plain selinux.
It proves amazingly well written for gummint work. (There is a
typo : for 'context' singular in the section on File Labeling read
'contexts' plural.) Please pass my extreme praise to Mr. Walsh; afaik,
only the Copyright Office in all of gdgummint writes as well.
It also says in so many words : "The best way to relabel the file
system is to create the flag file /.autorelabel and *reboot*" [My
emphasis; no wonder that instruction is in the error messages in the
trouble shooter.]
> 2) get pointed to man httpd_selinux
Well, you can call it that; the question is which is to be
master, as Lewis Carroll says so well. What I see (at the very bottom) is
a completely uncommented list of fifteen links, one of which is
"httpd_selinux(8)" (That means they're not the same fifteen that
Konqueror found, btw: I triple-checked, and it does not offer me anything
containing "httpd" among its fifteen. Konqueror won't let me c&p its
fifteen.)
I suppose someone whose focussed attention was on apache would
indeed jump on that first. Since I don't run any server I can help, nor
even have a web page, I'll leave it there.
> 3) get information
>
> httpd_sys_content_t
> - Set files with httpd_sys_content_t for content which is
> available from all httpd scripts and the daemon
--
Beartooth Staffwright, PhD, Neo-Redneck Linux Convert
Remember I know precious little of what I am talking about.
More information about the users
mailing list