FC4 documentation for apache + selinux ?

Timothy Murphy tim at birdsnest.maths.tcd.ie
Thu Jan 5 15:08:52 UTC 2006 

Paul Howarth wrote:

>> I looked at "Understanding and Customizing the Apache HTTP SELinux
>> Policy" at <http://fedora.redhat.com/docs/selinux-apache-fc3/index.html>,
>> but the changes between FC3 and FC4 seemed to make much of this
>> irrelevant.
>> 
>> Is there a corresponding document for FC4?
> 
> Most of the principles remain the same in FC4. I think the biggest
> single thing that you need to remember is that FC4 uses the "targeted"
> policy by default, whilst the examples in the document are for the
> "strict" policy. Do the appropriate substitutions in examples and most
> things will work.

Some suggestions in this document which did not work for me under FC4.
(I did not run selinux under FC3.)

1) "Your first step is to install the httpd package, and probably the
httpd-suexec and httpd-manual packages."

There does not seem to be an httpd-suexec rpm for FC4.

2)  By default, SELinux enforcement for Apache HTTP is enabled. To verify
this, run system-config-securitylevel, and view the SELinux tab. Click on
the Transition tree, and ensure that Disable SELinux protection for httpd
daemon is not checked.

What is the "Transition tree"?
Does this mean the list of "Trusted services"?
(If so, why not say that??)

In my case https and http have check-marks against them.
But what exactly does "Trusted services" mean?
Does it mean that selinux trusts these services,
and so does not concern itself with them?
Or does it mean the opposite,
that selinux _is_ looking after them?

And what on earth does "Enforcing current Disabled" mean
when I click the SELinux tag?

The effect of clicking OK on leaving system-config-securitylevel
on my desktop linked to the internet
is to cut off access to the web from my laptop,
even though the relevant device (/dev/eth2)
is clicked under Trusted devices.

3) " As a further check, use the command ps axZ | grep httpd.
You should see it running in the root_u:system_r:httpd_t  security context.
The important part of that is the third component, the httpd_t type."

When I run this command, I do not get this response,
or anything like it:
-------------------------------
[tim at alfred ~]$ ps axZ | grep httpd
kernel                          13047 ?        Ss     0:00 /usr/sbin/httpd
kernel                          24171 ?        S      0:00 /usr/sbin/httpd
kernel                          24172 ?        S      0:00 /usr/sbin/httpd
kernel                          24173 ?        S      0:00 /usr/sbin/httpd
kernel                          24174 ?        S      0:00 /usr/sbin/httpd
kernel                          24175 ?        S      0:00 /usr/sbin/httpd
kernel                          13204 pts/3    S+     0:00 grep httpd
-------------------------------


In effect, hardly anything on the "Getting Started" page
seems to work for me ...

-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

More information about the fedora-selinux-list mailing list