Re: do I need SELinux?

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Chris Hewitt wrote:

> On Sat, 2004-11-13 at 03:48, john bray wrote:
>  
>
> > On Fri, 2004-11-12 at 10:01 -0500, Daniel J Walsh plumb said:
> >    
> >
> > > Steven Stern wrote:
> > >
> > >      
> > >
> > > > On Fri, 12 Nov 2004 09:37:21 -0500, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > > >
> > > >
> > > >
> > > >        
> > > >
> > > > > So I would hope that people will work with it and not just turn it off 
> > > > > as soon as they have a problem
> > > > > with the system.
> > > > >   
> > > > >
> > > > >          
> > > > I haven't had any problems and assume it's working fine on my system.  But how
> > > > do I know?  Will something show up in logwatch if there's something to worry
> > > > about?  What syslog message prefix indicates a SELINUX targeted policy
> > > > message?
> > > >
> > > > (Yes, this is probably in the FAQ, so if you can point me to the right one,
> > > > I'll go off quiely and read it.)
> > > >
> > > >
> > > >        
> > > You might see some change in behavior of applications and usually AVC 
> > > messages in /var/log/messages.
> > >
> > > For the most part you probably will see nothing.
> > >
> > > sestatus shows you whether it is running or not.
> > >
> > >
> > >
> > >      
> > ok.   i got interested in checking this out.  so:
> >
> > [root@junior ntp]# grep AVC /var/log/message*
> > [root@junior ntp]# sestatus
> > SELinux status:         disabled
> > [root@junior ntp]#    
> >
> >
> > i thought that FC3 was defaulting to targeted?  this is an upgrade from
> > FC2 system, BTW.
> >
> > what do i have to do now, to get it turned on? 
> >    
>
> John,
>
> An earlier poster said it is off by default on upgrades. GUI method:
> System Settings -> Security Level, SELinux tab, check Enabled and
> Enforcing, Policy should be Targeted. Command line method: edit
> /etc/selinux/config. Reboot (its kernel stuff so reboot unfortunately
> needed).
>
> I've got a fresh FC3 installation (not upgrade) and have a PHP
> application using either PostgreSQL or MySQL. As SELinux documentation
> indicates it should allow http/PHP to access MySQL I was not surprised
> that my application did not work with PostgreSQL, but it did not work
> with MySQL either. If I turn off SELinux then it is fine with either
> database. 
>
> I agree SELinux is a good idea (particularly for servers), but I have
> not yet found good documentation on the details of setting it up (with
> PostgreSQL in particular), maybe I simply need to look harder. Another
> previous poster hoped that we would work with SELinux to help it along,
> and I agree with this, but present time constraints make it so much
> easier for me to simply work with SELinux disabled.
>  
In stead of disabling SELinux please disable apache.  If you have a problem.

system-config-securitylevel can do this.  That way you can still run 
with SELinux without
Apache problems.

> Regards
>
> Chris
>
>