On Tue, 2004-11-09 at 13:12 +0100, Thomas Vander Stichele wrote: > Hi, > > I upgraded to FC3 this weekend. I always try and go with the defaults > on a new install, because when fielding bug reports for my various > projects I prefer to make the defaults work first so bug reporters and I > have a common ground to work with. > > Since the default SELINUX policy is "targeted" I chose this, bracing > myself :) > > My first task was getting all my locally hosted websites to run. > > I have a few virtualhosts in my /home/thomas/www directory. When > starting apache, the service script complains about these directories > missing. > > Please note that I have a separate /home partition on hda6; I don't know > if this affects any policy (yet). Indeed, this is the root of the problem. Your /home partition isn't labeled since it was carried over from an earlier installation, so it gets the default_t type. Personally, I would have done: restorecon -v -R /home I don't think you would have seen this particular issue if you'd done a fresh installation. See also this question: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2963454 > other people. Otherwise I'll just have to turn off SELINUX myself, and > recommend the same to others when questions are asked about it. No, no, that's entirely the wrong approach. You were running into problems with Apache. It's very easy to turn off enforcement *just* for Apache. That's one of the great things about SELinux, is that it's very flexible. See this question in the FAQ: http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel I fully expect that a number of people will turn off SELinux enforcement for Apache; by far it is the most configurable and complex daemon we ship, and writing policy for what some people do with it could be difficult. But you don't want to give up protection for portmap, bind, etc. I also have written a specific Apache-SELinux guide that is pending review. I hope to get it published on fedora.redhat.com soon. Hopefully enough people reading it and keeping enforcement for Apache on will help stop the next Slapper worm.
