[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: first encounters with SELINUX, with some suggestions



On Tue, 2004-11-09 at 13:12 +0100, Thomas Vander Stichele wrote:
> Hi,
> 
> I upgraded to FC3 this weekend.  I always try and go with the defaults
> on a new install, because when fielding bug reports for my various
> projects I prefer to make the defaults work first so bug reporters and I
> have a common ground to work with.
> 
> Since the default SELINUX policy is "targeted" I chose this, bracing
> myself :)
> 
> My first task was getting all my locally hosted websites to run.
> 
> I have a few virtualhosts in my /home/thomas/www directory.  When
> starting apache, the service script complains about these directories
> missing.
> 
> Please note that I have a separate /home partition on hda6; I don't know
> if this affects any policy (yet).

Indeed, this is the root of the problem.  Your /home partition isn't
labeled since it was carried over from an earlier installation, so it
gets the default_t type.  Personally, I would have done:

restorecon -v -R /home

I don't think you would have seen this particular issue if you'd done a
fresh installation.

See also this question:
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2963454

> other people.  Otherwise I'll just have to turn off SELINUX myself, and
> recommend the same to others when questions are asked about it.

No, no, that's entirely the wrong approach.  You were running into
problems with Apache.  It's very easy to turn off enforcement *just* for
Apache.  That's one of the great things about SELinux, is that it's very
flexible.  See this question in the FAQ:

http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel

I fully expect that a number of people will turn off SELinux enforcement
for Apache; by far it is the most configurable and complex daemon we
ship, and writing policy for what some people do with it could be
difficult.  But you don't want to give up protection for portmap, bind,
etc.

I also have written a specific Apache-SELinux guide that is pending
review.  I hope to get it published on fedora.redhat.com soon.
Hopefully enough people reading it and keeping enforcement for Apache on
will help stop the next Slapper worm.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]