On Tue, 2004-11-09 at 13:12 +0100, Thomas Vander Stichele wrote:
Hi,
I upgraded to FC3 this weekend. I always try and go with the defaults
on a new install, because when fielding bug reports for my various
projects I prefer to make the defaults work first so bug reporters and I
have a common ground to work with.
Since the default SELINUX policy is "targeted" I chose this, bracing
myself :)
My first task was getting all my locally hosted websites to run.
I have a few virtualhosts in my /home/thomas/www directory. When
starting apache, the service script complains about these directories
missing.
Please note that I have a separate /home partition on hda6; I don't know
if this affects any policy (yet).
Indeed, this is the root of the problem. Your /home partition isn't
labeled since it was carried over from an earlier installation, so it
gets the default_t type. Personally, I would have done:
restorecon -v -R /home
I don't think you would have seen this particular issue if you'd done a
fresh installation.
See also this question:
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2963454
other people. Otherwise I'll just have to turn off SELINUX
myself, and
recommend the same to others when questions are asked about it.
No, no, that's entirely the wrong approach. You were running into
problems with Apache. It's very easy to turn off enforcement *just* for
Apache. That's one of the great things about SELinux, is that it's very
flexible. See this question in the FAQ:
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securi...
I fully expect that a number of people will turn off SELinux enforcement
for Apache; by far it is the most configurable and complex daemon we
ship, and writing policy for what some people do with it could be
difficult. But you don't want to give up protection for portmap, bind,
etc.
I also have written a specific Apache-SELinux guide that is pending
review. I hope to get it published on
fedora.redhat.com soon.
Hopefully enough people reading it and keeping enforcement for Apache on
will help stop the next Slapper worm.