changes from fedora 7 to 9

Paul Howarth paul at city-fan.org
Fri Sep 5 17:35:48 UTC 2008 

On Fri, 5 Sep 2008 09:16:11 -0700
"Robert J. Carr" <rjcarr at gmail.com> wrote:

> Thanks Paul and Daniel-
> 
> I piped the logs through audit2why and here's what it is saying:
> 
> ----
> 
> type=AVC msg=audit(1220631048.301:1541): avc:  denied  { write } for
> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> 
> Was caused by:
> Missing type enforcement (TE) allow rule.
> 
> You can use audit2allow to generate a loadable module to allow this
> access.
> 
> ----
> 
> As I said previously I know almost nothing about selinux, so if this
> means anything help is appreciated, otherwise I'm going to see what I
> can find out.
> 
> Thanks for the guidance.
> 
> On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
> > Robert J. Carr wrote:
> >> Hopefully this is a quick question to those that know SELinux more
> >> than I do, which wouldn't be very hard to accomplish.
> >>
> >> I'm migrating a (working) environment from one server running
> >> Fedora 7 to another running Fedora 9.  After pulling my hair out
> >> for most of the day I've found out the problem is with SELinux
> >> because when I turned it off temporarily everything worked fine.
> >>
> >> Not to get into too much detail, but my problem came from apache
> >> not being able to access a file (although the error isn't quite
> >> that clear).  Between the working environment and the non-working
> >> environment I can only see a couple differences in the selinux
> >> config files in /etc, but these have never been touched in either
> >> instance.
> >>
> >> The context labels are a bit different too.  The working
> >> environment has these selinux context labels:
> >>
> >>   user_u:object_r:httpd_sys_content_t
> >>
> >> But the non-working environment has these context labels:
> >>
> >>   unconfined_u:object_r:httpd_sys_content_t:s0
> >>
> >> It seems to get an extra field and the user changes to
> >> unconfined.  Is this relevant?
> >>
> >> There is nothing else that I can find different, is there anything
> >> else that could be the problem?
> >>
> >> Any advice would be greatly appreciated.
> >>
> >> --
> >> fedora-selinux-list mailing list
> >> fedora-selinux-list at redhat.com
> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > Also pipe them through audit2why it might tell you you need to turn
> > on a boolean.
> >
> > grep http /var/log/audit/audit.log | audit2allow -w

OK, I don't know where your trac.db file is, so let's say
it's /srv/www/trac/db/trac.db

See if this helps:
# chcon -R -t httpd_sys_script_rw_t /srv/www/trac/

Cheers, Paul.

More information about the fedora-selinux-list mailing list