selinux permissive and type targeted
In permissive mode, SElinux will log items which would have resulted in denial of access in enforcing mode, but will not actually deny those actions. So no, it will not enforce policies in permissive mode, but it will consult those policies. Had you been in enforcing mode, you would not have been able to start/use httpd until you issued the setsebool command since the link between it and a network connection would have been prevented by SELinux.
Related videos on Youtube
05 : 28
21 : 56
57 : 08
09 : 58
02 : 06
krisdigitx
Updated on September 18, 2022Comments
-
krisdigitx almost 2 years
i am running centos 6.2
recently i noticed that apache was running with selinux enabled
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=Permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targetedi noticed that these errors were coming on dmesg
type=1400 audit(1354453732.704:9056368): avc: denied { name_connect } for pid=39006 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=1400 audit(1354453735.777:9056369): avc: denied { name_connect } for pid=39046 comm="httpd" dest=6379 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socketi then enabled
/usr/sbin/setsebool httpd_can_network_connect=1and this stopped the errors and also the webpages started to work.
My question is if selinux is in permissive mode will selinuxtype=targeted enforce any polices?
if not how did it solve the problem with apache as selinux was already in permissive mode?