On Sat, Nov 29, 2008 at 01:02:17PM -0800, Chuck Forsberg WA7KGX N2469R wrote:
When I install a new version of Fedora I leave Selinux on until it prevents me from doing something important.
This time Selinux caused Apache to fail reading its configuration file where I specified the document root. Once again, as always, off with Selinux.
I don't know if Linux really needs Selinux. If it does, it needs something that doesn't get in the way of normal system functions.
Compare the situation to your firewall. If you change the default port number that Apache listens on, you add a new firewall rule to allow traffic to that port, rather than turning off the entire firewall. The same is easily doable with SELinux policy.
For example, if you change your document root to "/srv/mywebsite", then, the equivalent of adding a port to the firewall config, is to add a new path to the policy for Apache:
semanage fcontext -a -f "" -t httpd_sys_content_t '/srv/mywebsite(/.*)?'
Then, apply that policy to the files in this directory
restorecon -r /srv/mywebsite
Incidentally if you do change the port number that apache is on to 9000, then again semanage is used to update the policy
semanage port -a -t httpd_port_t 9000
Regards, Daniel