Paul Howarth wrote: >> I looked at "Understanding and Customizing the Apache HTTP SELinux >> Policy" at <http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>, >> but the changes between FC3 and FC4 seemed to make much of this >> irrelevant. >> >> Is there a corresponding document for FC4? > > Most of the principles remain the same in FC4. I think the biggest > single thing that you need to remember is that FC4 uses the "targeted" > policy by default, whilst the examples in the document are for the > "strict" policy. Do the appropriate substitutions in examples and most > things will work. Some suggestions in this document which did not work for me under FC4. (I did not run selinux under FC3.) 1) "Your first step is to install the httpd package, and probably the httpd-suexec and httpd-manual packages." There does not seem to be an httpd-suexec rpm for FC4. 2) By default, SELinux enforcement for Apache HTTP is enabled. To verify this, run system-config-securitylevel, and view the SELinux tab. Click on the Transition tree, and ensure that Disable SELinux protection for httpd daemon is not checked. What is the "Transition tree"? Does this mean the list of "Trusted services"? (If so, why not say that??) In my case https and http have check-marks against them. But what exactly does "Trusted services" mean? Does it mean that selinux trusts these services, and so does not concern itself with them? Or does it mean the opposite, that selinux _is_ looking after them? And what on earth does "Enforcing current Disabled" mean when I click the SELinux tag? The effect of clicking OK on leaving system-config-securitylevel on my desktop linked to the internet is to cut off access to the web from my laptop, even though the relevant device (/dev/eth2) is clicked under Trusted devices. 3) " As a further check, use the command ps axZ | grep httpd. You should see it running in the root_u:system_r:httpd_t security context. The important part of that is the third component, the httpd_t type." When I run this command, I do not get this response, or anything like it: ------------------------------- [tim@alfred ~]$ ps axZ | grep httpd kernel 13047 ? Ss 0:00 /usr/sbin/httpd kernel 24171 ? S 0:00 /usr/sbin/httpd kernel 24172 ? S 0:00 /usr/sbin/httpd kernel 24173 ? S 0:00 /usr/sbin/httpd kernel 24174 ? S 0:00 /usr/sbin/httpd kernel 24175 ? S 0:00 /usr/sbin/httpd kernel 13204 pts/3 S+ 0:00 grep httpd ------------------------------- In effect, hardly anything on the "Getting Started" page seems to work for me ... -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
