On Thu, 2006-01-05 at 15:08 +0000, Timothy Murphy wrote: > 2) By default, SELinux enforcement for Apache HTTP is enabled. To verify > this, run system-config-securitylevel, and view the SELinux tab. Click on > the Transition tree, and ensure that Disable SELinux protection for httpd > daemon is not checked. > > What is the "Transition tree"? > Does this mean the list of "Trusted services"? > (If so, why not say that??) Caveat: I rarely look at or use the GUI, but looking briefly at it, I would say: No, the "trusted services" list is for the firewall, not SELinux-related. For SELinux settings, select the SELinux tab, go down to the "Modify SELinux Policy" box, and expand HTTPD Service, then look for "Disable SELinux protection for httpd daemon" and make sure it isn't checked. I assume that it used to be called Transition tree at the time that Colin wrote his document. > And what on earth does "Enforcing current Disabled" mean > when I click the SELinux tag? Enforcing checkbox lets you toggle between Enforcing and Permissive modes. The Current: info tells you the current status of SELinux, which apparently is disabled on your system. > The effect of clicking OK on leaving system-config-securitylevel > on my desktop linked to the internet > is to cut off access to the web from my laptop, > even though the relevant device (/dev/eth2) > is clicked under Trusted devices. You shouldn't have to mark the device as trusted in order to perform outbound connections. 'Trusted' in the firewall tab indicates trust for inbound access, IIRC (again, not using this GUI myself). I have no trusted services or devices marked. > > 3) " As a further check, use the command ps axZ | grep httpd. > You should see it running in the root_u:system_r:httpd_t security context. > The important part of that is the third component, the httpd_t type." > > When I run this command, I do not get this response, > or anything like it: > ------------------------------- > [tim@alfred ~]$ ps axZ | grep httpd > kernel 13047 ? Ss 0:00 /usr/sbin/httpd > kernel 24171 ? S 0:00 /usr/sbin/httpd > kernel 24172 ? S 0:00 /usr/sbin/httpd > kernel 24173 ? S 0:00 /usr/sbin/httpd > kernel 24174 ? S 0:00 /usr/sbin/httpd > kernel 24175 ? S 0:00 /usr/sbin/httpd > kernel 13204 pts/3 S+ 0:00 grep httpd > ------------------------------- This output suggests that no policy was loaded on your system. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
