Paul Howarth wrote:
Timothy Murphy wrote:
Paul Howarth wrote:
I looked at "Understanding and Customizing the Apache HTTP SELinux
Policy" at
<http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>,
but the changes between FC3 and FC4 seemed to make much of this
irrelevant.
Is there a corresponding document for FC4?
Most of the principles remain the same in FC4. I think the biggest
single thing that you need to remember is that FC4 uses the "targeted"
policy by default, whilst the examples in the document are for the
"strict" policy. Do the appropriate substitutions in examples and most
things will work.
Some suggestions in this document which did not work for me under FC4.
(I did not run selinux under FC3.)
1) "Your first step is to install the httpd package, and probably the
httpd-suexec and httpd-manual packages."
There does not seem to be an httpd-suexec rpm for FC4.
The suexec program is contained within the main httpd package in FC4,
so that's indeed a difference.
2) By default, SELinux enforcement for Apache HTTP is enabled. To
verify
this, run system-config-securitylevel, and view the SELinux tab.
Click on
the Transition tree, and ensure that Disable SELinux protection for
httpd
daemon is not checked.
What is the "Transition tree"?
Does this mean the list of "Trusted services"?
(If so, why not say that??)
In my case https and http have check-marks against them.
But what exactly does "Trusted services" mean?
Does it mean that selinux trusts these services,
and so does not concern itself with them?
Or does it mean the opposite,
that selinux _is_ looking after them?
And what on earth does "Enforcing current Disabled" mean
when I click the SELinux tag?
I can't answer these personally as I use the command-line tools rather
than the GUI. Hopefully Dan will follow up on that.
This indicates selinux is disabled on this machine. If you want to turn
on SELinux, you need to install selinux-targeted-policy
Make sure /etc/selinux/config has
SELINUX=enforcing (Or Permissive)
and
SELINUXTYPE=targeted
Also make sure you don't have selinux=0 in /etc/grub.conf
touch /.autorelabel and reboot.
3) " As a further check, use the command ps axZ | grep httpd.
You should see it running in the root_u:system_r:httpd_t security
context.
The important part of that is the third component, the httpd_t type."
When I run this command, I do not get this response,
or anything like it:
-------------------------------
[tim@alfred ~]$ ps axZ | grep httpd
kernel 13047 ? Ss 0:00
/usr/sbin/httpd
kernel 24171 ? S 0:00
/usr/sbin/httpd
kernel 24172 ? S 0:00
/usr/sbin/httpd
kernel 24173 ? S 0:00
/usr/sbin/httpd
kernel 24174 ? S 0:00
/usr/sbin/httpd
kernel 24175 ? S 0:00
/usr/sbin/httpd
kernel 13204 pts/3 S+ 0:00 grep httpd
-------------------------------
What's the output of:
# getsebool -a | grep httpd
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
