Debian Lenny: Setting SELinux policy so apache can talk to zope

If using SELinux, you must customize the enforcement policy to allow Apache to connect to Zope. You may either audit the actions and build a policy or use the one here. This policy applies to Debian Lenny SELinux targeted. The following will allow apache to connect to zope:

module zope 1.0;
require {
        class tcp_socket name_connect;
        type http_cache_port_t;
        type httpd_t;
};

allow httpd_t http_cache_port_t:tcp_socket name_connect;

To build the policy you create a file called zope.te with the above contents. You then run the following commands to build the module:

checkmodule -M -m -o zope.mod zope.te
semodule_package -o zope.pp -m zope.mod

And finally you load the module into the policy:

semodule -i zope.pp

If you've not already done so, turn on targeted enforcing.

setenforce Enforcing

Sun, 04/18/2010 - 08:53 - Jeff Spencer

Add new comment
Quote

Primary links

Debian Lenny: Setting SELinux policy so apache can talk to zope