On Thursday 05 January 2006 08:31am, Stephen Smalley wrote: > On Thu, 2006-01-05 at 15:08 +0000, Timothy Murphy wrote: > > 2) By default, SELinux enforcement for Apache HTTP is enabled. To verify > > this, run system-config-securitylevel, and view the SELinux tab. Click on > > the Transition tree, and ensure that Disable SELinux protection for httpd > > daemon is not checked. > > > > What is the "Transition tree"? > > Does this mean the list of "Trusted services"? > > (If so, why not say that??) > > Caveat: I rarely look at or use the GUI, but looking briefly at it, I > would say: > > No, the "trusted services" list is for the firewall, not > SELinux-related. For SELinux settings, select the SELinux tab, go down > to the "Modify SELinux Policy" box, and expand HTTPD Service, then look > for "Disable SELinux protection for httpd daemon" and make sure it isn't > checked. I assume that it used to be called Transition tree at the time > that Colin wrote his document. > > > And what on earth does "Enforcing current Disabled" mean > > when I click the SELinux tag? > > Enforcing checkbox lets you toggle between Enforcing and Permissive > modes. The Current: info tells you the current status of SELinux, which > apparently is disabled on your system. > > > The effect of clicking OK on leaving system-config-securitylevel > > on my desktop linked to the internet > > is to cut off access to the web from my laptop, > > even though the relevant device (/dev/eth2) > > is clicked under Trusted devices. > > You shouldn't have to mark the device as trusted in order to perform > outbound connections. 'Trusted' in the firewall tab indicates trust for > inbound access, IIRC (again, not using this GUI myself). I have no > trusted services or devices marked. Stephen is correct; the "Trusted Devices" list causes a rule to be added to the firewall configuration created by system-config-securitylevel for each NIC (i.e. "device") which is checked. Those rules allow all incoming traffic on the specified interface(s) without going through any of the other firewall checks. You should *not* check those boxes, ever. Of course, people do, but then there is no firewall. The list of services in the firewall tab will, when checked, create a rule that allows *inbound* connections for that service. There are only 4 services on that list. You can add a space separated list of additional ports to allow in the text input box provided. The entries would look like "tcp:3128 udp:53 tcp:53 tcp:953" in that box. This is much better than checking the "Trusted Devices" boxes. [snip] -- Lamont R. Peterson <lamont@xxxxxxxxxxxx> Senior Instructor Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
Attachment:
pgpnzHjlWl1GD.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
