SE Linux is a feature of the Linux kernel that provides mandatory access control. This policy based access control system grants far greater control over the resources on a machine than standard Linux access controls such as permissions.

Many modern Linux distributions are shipping with SELinux enabled by default, Fedora 14 and Rhel 6 both install with it enabled.

When you run Recital Web on a SELinux enabled machine and navigate to the default.rsp page you will see something similar to the screen shot below.


If you launch the SELinux troubleshooter you will see the following problem.

SELinux is blocking the apache server from accessing the Recital server running on port 8001.


To manage you SELinux policy you must have the policycoreutils package group installed. The policycoreutils contains the policy core utilities that are required for basic operation of a SELinux system.

If you wish to use a GUI tool, you must install the policycoreutils-gui package.

At the command prompt execute the following:

As root

$ yum install policycoreutils

$ semanage port -a -t http_port_t -p tcp 8001

$ service recital restart

$ service httpd restart 
 

We use the semanage command here to allow the http server access to port 8001. Once you have completed the steps detailed above you can go and navigate back to the default.rsp page in your borwser, where you will find the permission denied message is now replaced by the default.rsp page.



SELinux does a great job of restricting services and daemons so rather than simply disabling it, why not work with it!

When it comes to security, every little bit helps...