-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nathan Grennan wrote: > How do I disable SELinux completely for httpd? In F7 from what I have > read it was "setsebool -P httpd_disable_trans 1". I get the errors below > when I try that. I looked in the policy files and couldn't find any > reference of it. I looked in system-config-selinux, and only found > options to tweak small aspects of SELinux for httpd, but not completely > disable it. I also notice there doesn't seem to be options to disable > selinux for any service. Not having a per service disable option means > your only recourse in some situations is simply to put SELinux in > permissive mode. > > libsemanage.dbase_llist_set: record not found in the database > libsemanage.dbase_llist_set: could not set record value > Could not change boolean httpd_disable_trans > Could not change policy booleans > > > I want to disable httpd, because I don't want to have to run restorecon > ~/public_html/dir if I move a directory from ~/ to ~/public_html. I find > the whole idea of restorecon funny. It isn't like chown or chmod where > you give it options telling it what to change it to. It is just supposed > to fall back on policy. So why not just have the system automatically > set the default policy on the move? You can say, but there is chcon, but > even if you use it to hand set something, if you restorecon or relabel > on boot are have used in the future it is likely going to wipe any > changes made with chcon. chcon is just like chown or chmod, and actually change a file context to httpd_sys_content_t will survive a relabel, which you really should not need to do. If you cp the contents of the directory they should adopt the context of the destination directory. Also you could use restorecond to watch for the creation of files in the directory. *_disable_trans was removed because it caused as many problems as it solved. When you disable trans on one domain, you can cause other domains to to blow up because file context gets screwed up. If you really want to disable trans you could change the context of httpd to bin_t. chcon -t bin_t /usr/sbin/httpd, but this will not survive a relabel. We are hoping to add permissive domains pretty soon, where you define httpd as a permissive domain, and it would only report access problems and not enforce them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfGLhcACgkQrlYvE4MpobPi5gCgh0FGd8wRkSwZyGo5omA+6k7U KTUAn3/a5d4jY187Dmpwf1vrFWtE2pFe =1s8G -----END PGP SIGNATURE-----
