When I install a new version of Fedora I leave Selinux on until it prevents me from doing something important.
This time Selinux caused Apache to fail reading its configuration file where I specified the document root. Once again, as always, off with Selinux.
I don't know if Linux really needs Selinux. If it does, it needs something that doesn't get in the way of normal system functions.
On Sat, 2008-11-29 at 13:02 -0800, Chuck Forsberg WA7KGX N2469R wrote:
When I install a new version of Fedora I leave Selinux on until it prevents me from doing something important.
This time Selinux caused Apache to fail reading its configuration file where I specified the document root. Once again, as always, off with Selinux.
I don't know if Linux really needs Selinux. If it does, it needs something that doesn't get in the way of normal system functions.
It doesn't get in the way of normal system functions if you put files in their normal system locations.
On Sat, Nov 29, 2008 at 01:02:17PM -0800, Chuck Forsberg WA7KGX N2469R wrote:
When I install a new version of Fedora I leave Selinux on until it prevents me from doing something important.
This time Selinux caused Apache to fail reading its configuration file where I specified the document root. Once again, as always, off with Selinux.
I don't know if Linux really needs Selinux. If it does, it needs something that doesn't get in the way of normal system functions.
Compare the situation to your firewall. If you change the default port number that Apache listens on, you add a new firewall rule to allow traffic to that port, rather than turning off the entire firewall. The same is easily doable with SELinux policy.
For example, if you change your document root to "/srv/mywebsite", then, the equivalent of adding a port to the firewall config, is to add a new path to the policy for Apache:
semanage fcontext -a -f "" -t httpd_sys_content_t '/srv/mywebsite(/.*)?'
Then, apply that policy to the files in this directory
restorecon -r /srv/mywebsite
Incidentally if you do change the port number that apache is on to 9000, then again semanage is used to update the policy
semanage port -a -t httpd_port_t 9000
Regards, Daniel
On 2008-11-29, 21:02 GMT, Chuck Forsberg WA7KGX N2469R wrote:
I don't know if Linux really needs Selinux. If it does, it needs something that doesn't get in the way of normal system functions.
a) I don't know if Linux needs SELinux, but I am quite certain, that you need it -- running apache on server is the prime example of configuration where SELinux is needed most. b) If the "normal functions" means "I want to do whatever I want to do and I resist to learn anything new", then you have probably big problem. Aside from simple recipe which somebody suggested, I would dare to ask -- why in the world you need webserver data in /srv? What would happen if you had them in /var/www/ where Fedora apache expects them (and where SELinux is more than happy to protect your server from many kinds of attack)?
Best,
Matěj
On Sat, Nov 29, 2008 at 11:22:45PM +0100, Matej Cepl wrote:
I would dare to ask -- why in the world you need webserver data in /srv? What would happen if you had them in /var/www/ where Fedora apache expects them (and where SELinux is more than happy to protect your server from many kinds of attack)?
Ever heard what 'VirtualHost' is? You may have many of those on a single machine and you do not want to drop their corresponding files into one big haystack.
I have no idea if this is the case with OP but there could be really good reasons, contrary to what you think, when configurations other than defaults should/could be used. These are only _defaults_ for crying out loud and if something is forcing defaults, or just makes hard enough to override those, then this something is plain broken by design.
Michal
On Sat, 2008-11-29 at 16:31 -0700, Michal Jaegermann wrote:
... if something is forcing defaults, or just makes hard enough to override those, then this something is plain broken by design.
This something would not be SELinux. man httpd_selinux gives all sorts of options for it.
On Sat, Nov 29, 2008 at 06:59:16PM -0500, Ignacio Vazquez-Abrams wrote:
On Sat, 2008-11-29 at 16:31 -0700, Michal Jaegermann wrote:
... if something is forcing defaults, or just makes hard enough to override those, then this something is plain broken by design.
This something would not be SELinux. man httpd_selinux gives all sorts of options for it.
I did not try to imply such thing. I was rather responding to "why would you like to put this or that not where I think you should?".
Michal
On Sat, Nov 29, 2008 at 6:31 PM, Michal Jaegermann michal@harddata.com wrote:
Ever heard what 'VirtualHost' is? You may have many of those on a single machine and you do not want to drop their corresponding files into one big haystack.
I have no idea if this is the case with OP but there could be really good reasons, contrary to what you think, when configurations other than defaults should/could be used. These are only _defaults_ for crying out loud and if something is forcing defaults, or just makes hard enough to override those, then this something is plain broken by design.
Come on, now -- all you have to do is label the files correctly. E.g. I'm pretty sure the OP's problems would be resolved by running "chcon -R -t http_sys_content_t" on his web tree. You do *not* want apache to read just any file on your filesystem -- it's not "broken by design" but "made safer by design."
SELinux is not scary or that hard -- once you get used to it, you'll appreciate the awesome layer of security that it offers.
Regards,
On Sat, Nov 29, 2008 at 19:01:40 -0500, Konstantin Ryabitsev icon@fedoraproject.org wrote:
Come on, now -- all you have to do is label the files correctly. E.g. I'm pretty sure the OP's problems would be resolved by running "chcon -R -t http_sys_content_t" on his web tree. You do *not* want apache to read just any file on your filesystem -- it's not "broken by design" but "made safer by design."
You want to use semanage to make sure you don't get burnt later during a relabel. And once you do that it is easier (and a good double check) to use restorecon rather than chcon to relabel the files.
I find chcon is more useful for testing things rather than configuring things.
Michal Jaegermann wrote:
On Sat, Nov 29, 2008 at 11:22:45PM +0100, Matej Cepl wrote:
I would dare to ask -- why in the world you need webserver data in /srv? What would happen if you had them in /var/www/ where Fedora apache expects them (and where SELinux is more than happy to protect your server from many kinds of attack)?
Ever heard what 'VirtualHost' is? You may have many of those on a single machine and you do not want to drop their corresponding files into one big haystack.
I have no idea if this is the case with OP but there could be really good reasons, contrary to what you think, when configurations other than defaults should/could be used. These are only _defaults_ for crying out loud and if something is forcing defaults, or just makes hard enough to override those, then this something is plain broken by design.
If you don't understand enough about how the *defaults* work, maybe you should just stay the heck away from customization?
On Sat, Nov 29, 2008 at 06:30:23PM -0600, Thomas Cameron wrote:
Michal Jaegermann wrote:
On Sat, Nov 29, 2008 at 11:22:45PM +0100, Matej Cepl wrote:
I would dare to ask -- why in the world you need webserver data in /srv?
If you don't understand enough about how the *defaults* work, maybe you should just stay the heck away from customization?
Eh? You are talking about what Matej said, and where you statement clearly applies, or you are misreading what I wrote? Just wondering ...
Michal
On 2008-11-29, 23:31 GMT, Michal Jaegermann wrote:
Ever heard what 'VirtualHost' is? You may have many of those on a single machine and you do not want to drop their corresponding files into one big haystack.
I have no idea if this is the case with OP but there could be really good reasons, contrary to what you think, when configurations other than defaults should/could be used. These are only _defaults_ for crying out loud and if something is forcing defaults, or just makes hard enough to override those, then this something is plain broken by design.
Well, yes, but defaults have the nice advantage that they usually work with the rest system (e.g., SELinux). If you want to do everything in your own way, LFS is there waiting for you :).
Concerning VirtualHost. What about taking look at that hated and despised default /etc/httpd/conf/httpd.confr? It is quite interesting reading. You would find there (among other things) this example:
#<VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost>
I haven't started with the sarcastic tone of this conversation, but one of my pet-peeves are people who didn't bother to do any research (what about selinux(8), httpd_selinux(8), not mentioning tons of documents over the internet -- Yahoo! gives me 1,380,000 hits for search "+selinux +apache"), but his reaction to his failure to do something he wants to do is "SELinux is crap! We should remove it from Fedora!".
Best,
Matěj
Chuck Forsberg WA7KGX N2469R wrote:
When I install a new version of Fedora I leave Selinux on until it prevents me from doing something important. This time Selinux caused Apache to fail reading its configuration file where I specified the document root. Once again, as always, off with Selinux.
I don't know if Linux really needs Selinux. If it does, it needs something that doesn't get in the way of normal system functions.
Take a peek at the presentation on SELinux I did for Colorado Software Summit at http://people.redhat.com/tcameron - I cover putting Apache stuff in the wrong location and talk about how to get around it.