i am running centos 6.2
recently i noticed that apache was running with selinux enabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=Permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
i noticed that these errors were coming on dmesg
type=1400 audit(1354453732.704:9056368): avc: denied { name_connect } for pid=39006 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
type=1400 audit(1354453735.777:9056369): avc: denied { name_connect } for pid=39046 comm="httpd" dest=6379 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
i then enabled
/usr/sbin/setsebool httpd_can_network_connect=1
and this stopped the errors and also the webpages started to work.
My question is if selinux is in permissive mode will selinuxtype=targeted enforce any polices?
if not how did it solve the problem with apache as selinux was already in permissive mode?
Best Answer
In permissive mode, SElinux will log items which would have resulted in denial of access in enforcing mode, but will not actually deny those actions. So no, it will not enforce policies in permissive mode, but it will consult those policies. Had you been in enforcing mode, you would not have been able to start/use httpd until you issued the setsebool command since the link between it and a network connection would have been prevented by SELinux.