Selinux .vs. Apache

Daniel P. Berrange berrange at redhat.com
Sat Nov 29 21:16:00 UTC 2008


On Sat, Nov 29, 2008 at 01:02:17PM -0800, Chuck Forsberg WA7KGX N2469R wrote:
> When I install a new version of Fedora I leave Selinux on until
> it prevents me from doing something important. 
> 
> This time Selinux caused Apache to fail reading its configuration
> file where I specified the document root.  Once again, as always,
> off with Selinux.
> 
> I don't know if Linux really needs Selinux.  If it does, it
> needs something that doesn't get in the way of normal
> system functions.

Compare the situation to your firewall. If you change the default port
number that Apache listens on, you add a new firewall rule to allow 
traffic to that port, rather than turning off the entire firewall.
The same is easily doable with SELinux policy.

For example, if you change your document root to "/srv/mywebsite",
then, the equivalent of adding a port to the firewall config, is to
add a new path to the policy for Apache:

   semanage fcontext -a -f "" -t httpd_sys_content_t '/srv/mywebsite(/.*)?' 

Then, apply that policy to the files in this directory

   restorecon -r /srv/mywebsite


Incidentally if you do change the port number that apache is on to 9000, 
then again semanage is used to update the policy

  semanage port -a -t httpd_port_t 9000


Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the fedora-test-list mailing list