Changes between Version 16 and Version 17 of NDGBrowseHowTo


Ignore:
Timestamp:
26/04/07 11:08:12 (12 years ago)
Author:
mggr
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • NDGBrowseHowTo

    v16 v17  
    109109web server user and modify wsgiEnvTest.ini for your wsgi server environment, but you should 
    110110then be able to point your browser at http://yourhost/browse, and see the wsgi environment variables! 
     111 
     112===== SELinux ===== 
     113A common problem on modern distributions is running into SELinux.  SELinux is a set of kernel-level hooks that allow system policy to be very specific in controlling the behavior of applications - it's commonly used to harden externally accessible services by ensuring that if they are compromised, the harm they can do is strictly limited to the parts of the filesystem (and access to other services) that they're allowed to access by the policy.  In practice, this will manifest as bizarre-seeming denials of permission to do things, despite the standard unix permissions appearing to be correct.   You can normally check for this more specifically with something like `dmesg`, which will list errors like: 
     114{{{ 
     115audit(1177519136.261:269): avc:  denied  { getattr } for  pid=22315 comm="httpd" name="www" dev=sda5 ino=7554543 scontext=root:system_r:httpd_t tcontext=root:object_r:var_t tclass=lnk_file 
     116}}} 
     117(note ''httpd'' in the above) 
     118 
     119Not all distributions will report in the same way - RHEL4 dumps errors to /var/log/messages and console (dmesg), Fedora Core 6 hides them away in /var/log/audit (maybe needs an additional audit daemon running too, not sure). 
     120 
     121A typical response to SELinux is to turn it off (or switch to permissive rather than enforcing mode - this just warns but doesn't block).  The "correct" fixes are either to arrange things to match the expectations of your policy (e.g. put webserver files in specific locations, marked with correct security contexts) or, if necessary, to write additional policy rules within the framework your distribution has provided that allow the specific actions you wish to do. 
     122 
     123To test if SELinux is definitely enabled, run `sestatus` (as root) or cat /selinux/enforce (1 = active and enforcing).  To disable it is distribution specific (RHEL & FC: run system-config-securitylevel, go to SELinux tab).  To find out what you should be doing re: system policy is also system specific, but some good documents are: 
     124 * http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ 
     125 * http://docs.fedoraproject.org/selinux-faq/ 
     126 * http://www.crypt.gen.nz/selinux/faq.html (general FAQ) 
     127 
     128(mggr) Speaking as someone with a fair degree of SELinux experience, it's pretty hard going ;)  This is something we should probably resolve at a distribution level and include instructions as needed (possibly just saying "mail us if you figure it out ;)"). 
     129