FC4 documentation for apache + selinux ?

Lamont R. Peterson lamont at gurulabs.com
Thu Jan 5 19:14:56 UTC 2006


On Thursday 05 January 2006 08:31am, Stephen Smalley wrote:
> On Thu, 2006-01-05 at 15:08 +0000, Timothy Murphy wrote:
> > 2)  By default, SELinux enforcement for Apache HTTP is enabled. To verify
> > this, run system-config-securitylevel, and view the SELinux tab. Click on
> > the Transition tree, and ensure that Disable SELinux protection for httpd
> > daemon is not checked.
> >
> > What is the "Transition tree"?
> > Does this mean the list of "Trusted services"?
> > (If so, why not say that??)
>
> Caveat:  I rarely look at or use the GUI, but looking briefly at it, I
> would say:
>
> No, the "trusted services" list is for the firewall, not
> SELinux-related.  For SELinux settings, select the SELinux tab, go down
> to the "Modify SELinux Policy" box, and expand HTTPD Service, then look
> for "Disable SELinux protection for httpd daemon" and make sure it isn't
> checked.  I assume that it used to be called Transition tree at the time
> that Colin wrote his document.
>
> > And what on earth does "Enforcing current Disabled" mean
> > when I click the SELinux tag?
>
> Enforcing checkbox lets you toggle between Enforcing and Permissive
> modes.  The Current: info tells you the current status of SELinux, which
> apparently is disabled on your system.
>
> > The effect of clicking OK on leaving system-config-securitylevel
> > on my desktop linked to the internet
> > is to cut off access to the web from my laptop,
> > even though the relevant device (/dev/eth2)
> > is clicked under Trusted devices.
>
> You shouldn't have to mark the device as trusted in order to perform
> outbound connections.  'Trusted' in the firewall tab indicates trust for
> inbound access, IIRC (again, not using this GUI myself).  I have no
> trusted services or devices marked.

Stephen is correct; the "Trusted Devices" list causes a rule to be added to 
the firewall configuration created by system-config-securitylevel for each 
NIC (i.e. "device") which is checked.  Those rules allow all incoming traffic 
on the specified interface(s) without going through any of the other firewall 
checks.

You should *not* check those boxes, ever.

Of course, people do, but then there is no firewall.

The list of services in the firewall tab will, when checked, create a rule 
that allows *inbound* connections for that service.  There are only 4 
services on that list.

You can add a space separated list of additional ports to allow in the text 
input box provided.  The entries would look like "tcp:3128 udp:53 tcp:53 
tcp:953" in that box.

This is much better than checking the "Trusted Devices" boxes.

[snip]
-- 
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060105/5e4efa8f/attachment.sig>


More information about the fedora-selinux-list mailing list