-   Linux - Security (
-   -   SElinux causing Apache/httpd problem on Fedora 6 (

badengineer 06-04-2007 01:42 AM

SElinux causing Apache/httpd problem on Fedora 6
I have web server running on Fedora core 6. I didn't use the default httpd; compiled apache2 myself. The web server is fine from localhost. But if I try to access it from other machine or internet, it's always Connection Time out.

I have SELinux setting at the default "enforcing". If I set it to permissive, all web access are fine. However, i'd like to keep the server as safe as possible, so i want to find out if it's possible to modify the selinux setting to allow apache to work, but still enforcing other security policy.

I do see all the inbound web access in the messages file -
xxxx kernel: Inbound IN=eth0 OUT= MAC=xx SRC=xxx DST=xxx LEN=44 TOS=0x00 P
REC=0x00 TTL=51 ID=3160 DF PROTO=TCP SPT=24591 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

I also tried "disable selinux protection over httpd". It didn't make any difference. Not sure if it's because i'm not using the default httpd.


hollywoodb 06-04-2007 11:47 AM

It is because you're not using the default httpd.

If you need to use your custom httpd, install setroubleshoot, start setroubleshootd, and then after an SELinux denial, either run the SELinux Troubleshooter from the menu, if you have gnome installed you can click the start that shows up in the system tray, or else run

sealert -b
that will tell you why SELinux is stopping, what it is stopping, and hopefully how to work around it.

If you don't have any GUI installed, the following command will generate an HTML file you can view with any standard browser like lynx:

sealert -H -a /var/log/audit/audit.log > selinux.html

All times are GMT -5. The time now is 10:39 AM.