Re: FC4 documentation for apache + selinux ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Timothy Murphy wrote:

Paul Howarth wrote:



I looked at "Understanding and Customizing the Apache HTTP SELinux
Policy" at <http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>,
but the changes between FC3 and FC4 seemed to make much of this
irrelevant.

Is there a corresponding document for FC4?


Most of the principles remain the same in FC4. I think the biggest
single thing that you need to remember is that FC4 uses the "targeted"
policy by default, whilst the examples in the document are for the
"strict" policy. Do the appropriate substitutions in examples and most
things will work.



Some suggestions in this document which did not work for me under FC4.
(I did not run selinux under FC3.)

1) "Your first step is to install the httpd package, and probably the
httpd-suexec and httpd-manual packages."

There does not seem to be an httpd-suexec rpm for FC4.
The suexec program is contained within the main httpd package in FC4, so that's indeed a difference. 


2)  By default, SELinux enforcement for Apache HTTP is enabled. To verify
this, run system-config-securitylevel, and view the SELinux tab. Click on
the Transition tree, and ensure that Disable SELinux protection for httpd
daemon is not checked.

What is the "Transition tree"?
Does this mean the list of "Trusted services"?
(If so, why not say that??)

In my case https and http have check-marks against them.
But what exactly does "Trusted services" mean?
Does it mean that selinux trusts these services,
and so does not concern itself with them?
Or does it mean the opposite,
that selinux _is_ looking after them?

And what on earth does "Enforcing current Disabled" mean
when I click the SELinux tag?
I can't answer these personally as I use the command-line tools rather than the GUI. Hopefully Dan will follow up on that. 


3) " As a further check, use the command ps axZ | grep httpd.
You should see it running in the root_u:system_r:httpd_t  security context.
The important part of that is the third component, the httpd_t type."

When I run this command, I do not get this response,
or anything like it:
-------------------------------
[tim@alfred ~]$ ps axZ | grep httpd
kernel                          13047 ?        Ss     0:00 /usr/sbin/httpd
kernel                          24171 ?        S      0:00 /usr/sbin/httpd
kernel                          24172 ?        S      0:00 /usr/sbin/httpd
kernel                          24173 ?        S      0:00 /usr/sbin/httpd
kernel                          24174 ?        S      0:00 /usr/sbin/httpd
kernel                          24175 ?        S      0:00 /usr/sbin/httpd
kernel                          13204 pts/3    S+     0:00 grep httpd
-------------------------------


What's the output of:

# getsebool -a | grep httpd

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux