What's special about SElinux

[Arthur Pemberton]

On Sat, Dec 27, 2008 at 5:22 PM, Chuck Forsberg WA7KGX N2469R
<caf at omen.com> wrote:
> I tried configuring Linux so Apache wouldn't have to look
> outside /var/www for any of its data.   I arranged the HD with
> a separate partition for /var/www so Apache/SElinux would
> be happy with its own little sandbox.  The installation failed.
> Apparently Anaconda couldn't hack /var/www being on its
> own file system.  So, back to the usual disk arrangement.
>
> I installed Fedora 10 and immediately ran the updates,
> all 770 MB of them, before doing anything else.  With
> the storms in the west nobody seemed to miss omen.com
> being down over Christmas.
>
> With the up to date system, Apache would fail at line
> 280 on its init script insisting that the document root
> had to be a directory.  I checked the syntax, directory
> perms et al but no joy.  I didn't see an SElinux denial
> popup.  Apache just thought its document root directory
> wasn't a directory.
> Disabling SElinux made it all better.
>
> There is something special about SElinux that makes it
> such an issue for me and others in similar situations.
> To adequately test Fedora before deploying it would
> require a separate local network and a separate ISP
> connection.  This is not a viable solution for many.
>
> As a result, problems such as SElinux and Apache crop
> up when a system is being brought online when downtime
> to mess with the mess is not available in abundance.  The
> necessary solution is to disable SElinux and hope the
> next iteration will be ready for prime time.
>
> If BSD is secure without SElinux, why not Fedora?


Consider how many people use SELinux especially when serving HTTP.
Maybe in FC2/3 it was a bit troublesome. But at this stage of
development, you really shouldn't have enough problems with SELinux
and Apache to warrant an email.

-- 
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )