Anyone good with selinux?

[celliott]

I'm trying to study for RHCSA followed by RHCE, and the one thing that I cant quite get my head around is SELinux.

I understand about file contexts, how to set them etc, but the thing I dont get are the Boolean Values. When I set them on my machine, they dont actually seem to do anything. I'm either doing something wrong or perhaps the policy that ships with RHEL6 is broken?!

Example: I've got Apache installed, and PHP installed. In theory if I disable the boolean which allows httpd to use inbuilt scripting, PHP shouldnt work. It still works.. I've also done the same for the boolean which allows Apache to run CGI, and it still works. They are definatley set including in the policyfile, and I've rebooted just incase.

Anyone know what I'm missing ??

Thanks

 

[memyselfandi]

Is your selinux configuration set to be enforcing or permissive?

 

[celliott]

Enforcing, targeted.

All I'm after is some peice of mind that the booleans are actually working on my test system, at the moment I'm not convinced!

Cheers

 

[Djwayne]

There isn't a tremendous amount of SElinux questions in either the RHCSA or RHCE exams.

A little more info on the question you posted that may shed some light on it.

httpd_builtin_scripting
If you did not configure Apache to load scripting modules by changing the /etc/httpd/conf/httpd.conf configuration file, set this Boolean to off. If you are unsure, turn httpd_builtin_scripting to off and check the /var/log/messages file for any httpd-related SELinux warnings. See the description of httpd_enable_cgi for an example. PHP and other scripting modules run with the same level of access as the http daemon. Therefore, turning httpd_builtin_scripting to off reduces the amount of access available if the Web server is compromised.

So that boolean will not prevent httpd running php