FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-05-2008, 03:07 AM
"Robert J. Carr"
 
Default changes from fedora 7 to 9

Hopefully this is a quick question to those that know SELinux more
than I do, which wouldn't be very hard to accomplish.

I'm migrating a (working) environment from one server running Fedora 7
to another running Fedora 9. After pulling my hair out for most of
the day I've found out the problem is with SELinux because when I
turned it off temporarily everything worked fine.

Not to get into too much detail, but my problem came from apache not
being able to access a file (although the error isn't quite that
clear). Between the working environment and the non-working
environment I can only see a couple differences in the selinux config
files in /etc, but these have never been touched in either instance.

The context labels are a bit different too. The working environment
has these selinux context labels:

user_ubject_r:httpd_sys_content_t

But the non-working environment has these context labels:

unconfined_ubject_r:httpd_sys_content_t:s0

It seems to get an extra field and the user changes to unconfined. Is
this relevant?

There is nothing else that I can find different, is there anything
else that could be the problem?

Any advice would be greatly appreciated.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-05-2008, 06:34 AM
Paul Howarth
 
Default changes from fedora 7 to 9

On Thu, 4 Sep 2008 20:07:10 -0700
"Robert J. Carr" <rjcarr@gmail.com> wrote:

> Hopefully this is a quick question to those that know SELinux more
> than I do, which wouldn't be very hard to accomplish.
>
> I'm migrating a (working) environment from one server running Fedora 7
> to another running Fedora 9. After pulling my hair out for most of
> the day I've found out the problem is with SELinux because when I
> turned it off temporarily everything worked fine.
>
> Not to get into too much detail, but my problem came from apache not
> being able to access a file (although the error isn't quite that
> clear). Between the working environment and the non-working
> environment I can only see a couple differences in the selinux config
> files in /etc, but these have never been touched in either instance.
>
> The context labels are a bit different too. The working environment
> has these selinux context labels:
>
> user_ubject_r:httpd_sys_content_t
>
> But the non-working environment has these context labels:
>
> unconfined_ubject_r:httpd_sys_content_t:s0
>
> It seems to get an extra field and the user changes to unconfined. Is
> this relevant?
>
> There is nothing else that I can find different, is there anything
> else that could be the problem?
>
> Any advice would be greatly appreciated.

You need to find the actual SELinux denials that are happening and post
them. They'll be in /var/log/audit/audit.log if you're running the
audit daemon, and /var/log/messages of you're not.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-05-2008, 02:19 PM
Daniel J Walsh
 
Default changes from fedora 7 to 9

Robert J. Carr wrote:
> Hopefully this is a quick question to those that know SELinux more
> than I do, which wouldn't be very hard to accomplish.
>
> I'm migrating a (working) environment from one server running Fedora 7
> to another running Fedora 9. After pulling my hair out for most of
> the day I've found out the problem is with SELinux because when I
> turned it off temporarily everything worked fine.
>
> Not to get into too much detail, but my problem came from apache not
> being able to access a file (although the error isn't quite that
> clear). Between the working environment and the non-working
> environment I can only see a couple differences in the selinux config
> files in /etc, but these have never been touched in either instance.
>
> The context labels are a bit different too. The working environment
> has these selinux context labels:
>
> user_ubject_r:httpd_sys_content_t
>
> But the non-working environment has these context labels:
>
> unconfined_ubject_r:httpd_sys_content_t:s0
>
> It seems to get an extra field and the user changes to unconfined. Is
> this relevant?
>
> There is nothing else that I can find different, is there anything
> else that could be the problem?
>
> Any advice would be greatly appreciated.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a
boolean.

grep http /var/log/audit/audit.log | audit2allow -w

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-05-2008, 04:16 PM
"Robert J. Carr"
 
Default changes from fedora 7 to 9

Thanks Paul and Daniel-

I piped the logs through audit2why and here's what it is saying:

----

type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for
pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

----

As I said previously I know almost nothing about selinux, so if this
means anything help is appreciated, otherwise I'm going to see what I
can find out.

Thanks for the guidance.

On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Robert J. Carr wrote:
>> Hopefully this is a quick question to those that know SELinux more
>> than I do, which wouldn't be very hard to accomplish.
>>
>> I'm migrating a (working) environment from one server running Fedora 7
>> to another running Fedora 9. After pulling my hair out for most of
>> the day I've found out the problem is with SELinux because when I
>> turned it off temporarily everything worked fine.
>>
>> Not to get into too much detail, but my problem came from apache not
>> being able to access a file (although the error isn't quite that
>> clear). Between the working environment and the non-working
>> environment I can only see a couple differences in the selinux config
>> files in /etc, but these have never been touched in either instance.
>>
>> The context labels are a bit different too. The working environment
>> has these selinux context labels:
>>
>> user_ubject_r:httpd_sys_content_t
>>
>> But the non-working environment has these context labels:
>>
>> unconfined_ubject_r:httpd_sys_content_t:s0
>>
>> It seems to get an extra field and the user changes to unconfined. Is
>> this relevant?
>>
>> There is nothing else that I can find different, is there anything
>> else that could be the problem?
>>
>> Any advice would be greatly appreciated.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Also pipe them through audit2why it might tell you you need to turn on a
> boolean.
>
> grep http /var/log/audit/audit.log | audit2allow -w
>
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-05-2008, 05:35 PM
Paul Howarth
 
Default changes from fedora 7 to 9

On Fri, 5 Sep 2008 09:16:11 -0700
"Robert J. Carr" <rjcarr@gmail.com> wrote:

> Thanks Paul and Daniel-
>
> I piped the logs through audit2why and here's what it is saying:
>
> ----
>
> type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for
> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
>
> ----
>
> As I said previously I know almost nothing about selinux, so if this
> means anything help is appreciated, otherwise I'm going to see what I
> can find out.
>
> Thanks for the guidance.
>
> On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh@redhat.com>
> wrote:
> > Robert J. Carr wrote:
> >> Hopefully this is a quick question to those that know SELinux more
> >> than I do, which wouldn't be very hard to accomplish.
> >>
> >> I'm migrating a (working) environment from one server running
> >> Fedora 7 to another running Fedora 9. After pulling my hair out
> >> for most of the day I've found out the problem is with SELinux
> >> because when I turned it off temporarily everything worked fine.
> >>
> >> Not to get into too much detail, but my problem came from apache
> >> not being able to access a file (although the error isn't quite
> >> that clear). Between the working environment and the non-working
> >> environment I can only see a couple differences in the selinux
> >> config files in /etc, but these have never been touched in either
> >> instance.
> >>
> >> The context labels are a bit different too. The working
> >> environment has these selinux context labels:
> >>
> >> user_ubject_r:httpd_sys_content_t
> >>
> >> But the non-working environment has these context labels:
> >>
> >> unconfined_ubject_r:httpd_sys_content_t:s0
> >>
> >> It seems to get an extra field and the user changes to
> >> unconfined. Is this relevant?
> >>
> >> There is nothing else that I can find different, is there anything
> >> else that could be the problem?
> >>
> >> Any advice would be greatly appreciated.
> >>
> >> --
> >> fedora-selinux-list mailing list
> >> fedora-selinux-list@redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > Also pipe them through audit2why it might tell you you need to turn
> > on a boolean.
> >
> > grep http /var/log/audit/audit.log | audit2allow -w

OK, I don't know where your trac.db file is, so let's say
it's /srv/www/trac/db/trac.db

See if this helps:
# chcon -R -t httpd_sys_script_rw_t /srv/www/trac/

Cheers, Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-05-2008, 05:50 PM
"Robert J. Carr"
 
Default changes from fedora 7 to 9

Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db
file itself (not using -R as you suggested) and it worked.

So now for the whole teach a guy how to fish part. Is this a new
label for selinux in Fedora 9? In my other working environment in
Fedora 7 all files (including trac.db) are labeled with
httpd_sys_content_t. What's different?

Is there some guide that tells you the labels you should be using for
specific types of httpd files?

Thanks again for the help ... it is greatly appreciated.


On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul@city-fan.org> wrote:
> On Fri, 5 Sep 2008 09:16:11 -0700
> "Robert J. Carr" <rjcarr@gmail.com> wrote:
>
>> Thanks Paul and Daniel-
>>
>> I piped the logs through audit2why and here's what it is saying:
>>
>> ----
>>
>> type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for
>> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=file
>>
>> Was caused by:
>> Missing type enforcement (TE) allow rule.
>>
>> You can use audit2allow to generate a loadable module to allow this
>> access.
>>
>> ----
>>
>> As I said previously I know almost nothing about selinux, so if this
>> means anything help is appreciated, otherwise I'm going to see what I
>> can find out.
>>
>> Thanks for the guidance.
>>
>> On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh@redhat.com>
>> wrote:
>> > Robert J. Carr wrote:
>> >> Hopefully this is a quick question to those that know SELinux more
>> >> than I do, which wouldn't be very hard to accomplish.
>> >>
>> >> I'm migrating a (working) environment from one server running
>> >> Fedora 7 to another running Fedora 9. After pulling my hair out
>> >> for most of the day I've found out the problem is with SELinux
>> >> because when I turned it off temporarily everything worked fine.
>> >>
>> >> Not to get into too much detail, but my problem came from apache
>> >> not being able to access a file (although the error isn't quite
>> >> that clear). Between the working environment and the non-working
>> >> environment I can only see a couple differences in the selinux
>> >> config files in /etc, but these have never been touched in either
>> >> instance.
>> >>
>> >> The context labels are a bit different too. The working
>> >> environment has these selinux context labels:
>> >>
>> >> user_ubject_r:httpd_sys_content_t
>> >>
>> >> But the non-working environment has these context labels:
>> >>
>> >> unconfined_ubject_r:httpd_sys_content_t:s0
>> >>
>> >> It seems to get an extra field and the user changes to
>> >> unconfined. Is this relevant?
>> >>
>> >> There is nothing else that I can find different, is there anything
>> >> else that could be the problem?
>> >>
>> >> Any advice would be greatly appreciated.
>> >>
>> >> --
>> >> fedora-selinux-list mailing list
>> >> fedora-selinux-list@redhat.com
>> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> > Also pipe them through audit2why it might tell you you need to turn
>> > on a boolean.
>> >
>> > grep http /var/log/audit/audit.log | audit2allow -w
>
> OK, I don't know where your trac.db file is, so let's say
> it's /srv/www/trac/db/trac.db
>
> See if this helps:
> # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
>
> Cheers, Paul.
>
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-05-2008, 06:30 PM
Daniel J Walsh
 
Default changes from fedora 7 to 9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert J. Carr wrote:
> Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db
> file itself (not using -R as you suggested) and it worked.
>
> So now for the whole teach a guy how to fish part. Is this a new
> label for selinux in Fedora 9? In my other working environment in
> Fedora 7 all files (including trac.db) are labeled with
> httpd_sys_content_t. What's different?
>
> Is there some guide that tells you the labels you should be using for
> specific types of httpd files?
>
> Thanks again for the help ... it is greatly appreciated.
>
>
> On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul@city-fan.org> wrote:
>> On Fri, 5 Sep 2008 09:16:11 -0700
>> "Robert J. Carr" <rjcarr@gmail.com> wrote:
>>
>>> Thanks Paul and Daniel-
>>>
>>> I piped the logs through audit2why and here's what it is saying:
>>>
>>> ----
>>>
>>> type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for
>>> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=file
>>>
>>> Was caused by:
>>> Missing type enforcement (TE) allow rule.
>>>
>>> You can use audit2allow to generate a loadable module to allow this
>>> access.
>>>
>>> ----
>>>
>>> As I said previously I know almost nothing about selinux, so if this
>>> means anything help is appreciated, otherwise I'm going to see what I
>>> can find out.
>>>
>>> Thanks for the guidance.
>>>
>>> On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh@redhat.com>
>>> wrote:
>>>> Robert J. Carr wrote:
>>>>> Hopefully this is a quick question to those that know SELinux more
>>>>> than I do, which wouldn't be very hard to accomplish.
>>>>>
>>>>> I'm migrating a (working) environment from one server running
>>>>> Fedora 7 to another running Fedora 9. After pulling my hair out
>>>>> for most of the day I've found out the problem is with SELinux
>>>>> because when I turned it off temporarily everything worked fine.
>>>>>
>>>>> Not to get into too much detail, but my problem came from apache
>>>>> not being able to access a file (although the error isn't quite
>>>>> that clear). Between the working environment and the non-working
>>>>> environment I can only see a couple differences in the selinux
>>>>> config files in /etc, but these have never been touched in either
>>>>> instance.
>>>>>
>>>>> The context labels are a bit different too. The working
>>>>> environment has these selinux context labels:
>>>>>
>>>>> user_ubject_r:httpd_sys_content_t
>>>>>
>>>>> But the non-working environment has these context labels:
>>>>>
>>>>> unconfined_ubject_r:httpd_sys_content_t:s0
>>>>>
>>>>> It seems to get an extra field and the user changes to
>>>>> unconfined. Is this relevant?
>>>>>
>>>>> There is nothing else that I can find different, is there anything
>>>>> else that could be the problem?
>>>>>
>>>>> Any advice would be greatly appreciated.
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> Also pipe them through audit2why it might tell you you need to turn
>>>> on a boolean.
>>>>
>>>> grep http /var/log/audit/audit.log | audit2allow -w
>> OK, I don't know where your trac.db file is, so let's say
>> it's /srv/www/trac/db/trac.db
>>
>> See if this helps:
>> # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
>>
>> Cheers, Paul.
>>
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
man httpd_selinux

Explains a lot of it.

# semanage fcontext -a -t httpd_sys_script_rw_t '/srv/www/trac(/.*)?'


But this is revealing a bug in policy. This is supposed to work out of
the box with the httpd_unified boolean turned on. But the policy to do
this was accidently removed.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjBeskACgkQrlYvE4MpobN9TwCfad+fPalb5e gzj/Mnq0OYvBGb
Nr0AoI1xWlN4z5n4Q4/9RwQ5jh4oz4CQ
=VxgT
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-05-2008, 06:32 PM
Daniel J Walsh
 
Default changes from fedora 7 to 9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel J Walsh wrote:
> Robert J. Carr wrote:
>> Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db
>> file itself (not using -R as you suggested) and it worked.
>
>> So now for the whole teach a guy how to fish part. Is this a new
>> label for selinux in Fedora 9? In my other working environment in
>> Fedora 7 all files (including trac.db) are labeled with
>> httpd_sys_content_t. What's different?
>
>> Is there some guide that tells you the labels you should be using for
>> specific types of httpd files?
>
>> Thanks again for the help ... it is greatly appreciated.
>
>
>> On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul@city-fan.org> wrote:
>>> On Fri, 5 Sep 2008 09:16:11 -0700
>>> "Robert J. Carr" <rjcarr@gmail.com> wrote:
>>>
>>>> Thanks Paul and Daniel-
>>>>
>>>> I piped the logs through audit2why and here's what it is saying:
>>>>
>>>> ----
>>>>
>>>> type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for
>>>> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=file
>>>>
>>>> Was caused by:
>>>> Missing type enforcement (TE) allow rule.
>>>>
>>>> You can use audit2allow to generate a loadable module to allow this
>>>> access.
>>>>
>>>> ----
>>>>
>>>> As I said previously I know almost nothing about selinux, so if this
>>>> means anything help is appreciated, otherwise I'm going to see what I
>>>> can find out.
>>>>
>>>> Thanks for the guidance.
>>>>
>>>> On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh@redhat.com>
>>>> wrote:
>>>>> Robert J. Carr wrote:
>>>>>> Hopefully this is a quick question to those that know SELinux more
>>>>>> than I do, which wouldn't be very hard to accomplish.
>>>>>>
>>>>>> I'm migrating a (working) environment from one server running
>>>>>> Fedora 7 to another running Fedora 9. After pulling my hair out
>>>>>> for most of the day I've found out the problem is with SELinux
>>>>>> because when I turned it off temporarily everything worked fine.
>>>>>>
>>>>>> Not to get into too much detail, but my problem came from apache
>>>>>> not being able to access a file (although the error isn't quite
>>>>>> that clear). Between the working environment and the non-working
>>>>>> environment I can only see a couple differences in the selinux
>>>>>> config files in /etc, but these have never been touched in either
>>>>>> instance.
>>>>>>
>>>>>> The context labels are a bit different too. The working
>>>>>> environment has these selinux context labels:
>>>>>>
>>>>>> user_ubject_r:httpd_sys_content_t
>>>>>>
>>>>>> But the non-working environment has these context labels:
>>>>>>
>>>>>> unconfined_ubject_r:httpd_sys_content_t:s0
>>>>>>
>>>>>> It seems to get an extra field and the user changes to
>>>>>> unconfined. Is this relevant?
>>>>>>
>>>>>> There is nothing else that I can find different, is there anything
>>>>>> else that could be the problem?
>>>>>>
>>>>>> Any advice would be greatly appreciated.
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list@redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> Also pipe them through audit2why it might tell you you need to turn
>>>>> on a boolean.
>>>>>
>>>>> grep http /var/log/audit/audit.log | audit2allow -w
>>> OK, I don't know where your trac.db file is, so let's say
>>> it's /srv/www/trac/db/trac.db
>>>
>>> See if this helps:
>>> # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
>>>
>>> Cheers, Paul.
>>>
>>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Resending with fixed text.

man httpd_selinux

Explains a lot of it.

# semanage fcontext -a -t httpd_sys_script_rw_t '/srv/www/trac(/.*)?'
# restorecon -R -v /srv/www

Is better then chcon since it will survive a relebel.

But this is revealing a bug in policy. This is supposed to work out of
the box with the httpd_unified boolean turned on. But the policy to do
this was accidently removed.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjBe1YACgkQrlYvE4MpobOMdACfc4FxXzfSjh xCTaMsMv/KIYKa
pgkAn0rvEjLA/dYEmpm/BEXHvRxTk//r
=5c1o
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-08-2008, 08:55 AM
Paul Howarth
 
Default changes from fedora 7 to 9

Robert J. Carr wrote:

Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db
file itself (not using -R as you suggested) and it worked.

So now for the whole teach a guy how to fish part. Is this a new
label for selinux in Fedora 9? In my other working environment in
Fedora 7 all files (including trac.db) are labeled with
httpd_sys_content_t. What's different?

Is there some guide that tells you the labels you should be using for
specific types of httpd files?

Thanks again for the help ... it is greatly appreciated.


On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul@city-fan.org> wrote:

On Fri, 5 Sep 2008 09:16:11 -0700
"Robert J. Carr" <rjcarr@gmail.com> wrote:


Thanks Paul and Daniel-

I piped the logs through audit2why and here's what it is saying:

----

type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for
pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this
access.

----

As I said previously I know almost nothing about selinux, so if this
means anything help is appreciated, otherwise I'm going to see what I
can find out.

Thanks for the guidance.


As Dan suggested, "man httpd_selinux" lists the available context types
for web applications that don't have their own specific types (bugzilla
is an example of an app that has its own types).


I find a reasonable rule of thumb is:
* CGI scripts need to be httpd_script_exec_t
* Files/directories that needs to be writeable by the apache user or
group should be httpd_sys_script_rw_t

* Everything else should be httpd_sys_content_t

In your case, you may find that just setting the context of trac.db
fixes the immediate problem but you may have issues e.g. with adding
attachments to trac wiki pages, hence the suggestion to do all of
/srv/www/trac


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org