You could have a lot of mean issue with the security component selinux. In my experience, you want to run something in behind your apache2 httpd server, it is best to put selinux in permissive mode. Typically, Selinux can
- prevent a tomcat AJP connector to run on a port like 8019, supporting only the default port 8009
- prevent to access some files in that are not under /var/www for svn DAV module
-Prevent samba file sharing to see files in a directory (But the directory itself can be seen
All of these effect are very weird when you first see it, that is why, I recommend to desactivate selinux when you set up a new server. If your server will go on internet, you may harden your server afterwards by activating selinux.
The principle behind Selinux is to perform a check that one process should go throught a set of rule before accessing a resource. The resource can be
- Socket
- Processes
- Files
For instance, it could put some rules so that httpd cannot not access to any resource on computer and this goes on top of the OS security rules.
The big issue with selinux is that nothing goes into the classical error logs. It is q very dry denial. So if you face an issue that you dont understand on httpd server, it is good to try to desactivate selinux and see what happens.
You can switch the system into permissive mode with the following command:
setenforce 0
To check what mode the system is in,
cat /selinux/enforce
The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it. In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
To get you current status you could type
sestatus
Aucun commentaire:
Enregistrer un commentaire