On Wed, 22 Jun 2005, Colin Walters wrote:
On Wed, 2005-06-22 at 18:45 -0400, Jon August wrote:
httpd is running with type:
root:system_r:unconfined_t
What does this mean? Is httpd a vulnerability on this machine?
This means that httpd is not confined by the SELinux policy. This means
you have less protection against a compromise or misconfiguration of
httpd or CGI scripts.
Since the default is for it to be enabled, someone (possibly you)
disabled SELinux protection for httpd; you can reenable it by using
system-config-securitylevel (or
"setsebool -P httpd_disable_trans=false").
Strange, on one computer httpd runs with:
root:system_r:httpd_t 11845 ? Ss 0:00 /usr/sbin/httpd
but if I do setsebool -P httpd_disable_trans 0 on an other computer I get
[root@flashdance ny]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: /usr/sbin/httpd: error while loading shared libraries:
libpcre.so.0: cannot open shared object file: Permission denied
[FAILED]
On both computers the selinux perms are:
[iocc@flashdance texts]$ ll -Z /lib/libpcre.so.0*
lrwxrwxrwx root system_u:object_r:lib_t /lib/libpcre.so.0 ->
libpcre.so.0.0.1
-rwxr-xr-x root system_u:object_r:shlib_t /lib/libpcre.so.0.0.1
Im not sure that I get that :)
Just to get it working I did this on the other computer:
[root@flashdance ny]# setsebool -P httpd_disable_trans 1
[root@flashdance ny]# /etc/init.d/httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
Why doesnt httpd_disable_trans 0 work with apache on one computer?
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
