changes from fedora 7 to 9

Daniel J Walsh dwalsh at redhat.com
Fri Sep 5 18:32:55 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel J Walsh wrote:
> Robert J. Carr wrote:
>> Thanks Paul!  I put that label (httpd_sys_script_rw_t) on the trac.db
>> file itself (not using -R as you suggested) and it worked.
> 
>> So now for the whole teach a guy how to fish part.  Is this a new
>> label for selinux in Fedora 9?  In my other working environment in
>> Fedora 7 all files (including trac.db) are labeled with
>> httpd_sys_content_t.  What's different?
> 
>> Is there some guide that tells you the labels you should be using for
>> specific types of httpd files?
> 
>> Thanks again for the help ... it is greatly appreciated.
> 
> 
>> On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul at city-fan.org> wrote:
>>> On Fri, 5 Sep 2008 09:16:11 -0700
>>> "Robert J. Carr" <rjcarr at gmail.com> wrote:
>>>
>>>> Thanks Paul and Daniel-
>>>>
>>>> I piped the logs through audit2why and here's what it is saying:
>>>>
>>>> ----
>>>>
>>>> type=AVC msg=audit(1220631048.301:1541): avc:  denied  { write } for
>>>> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
>>>>
>>>> Was caused by:
>>>> Missing type enforcement (TE) allow rule.
>>>>
>>>> You can use audit2allow to generate a loadable module to allow this
>>>> access.
>>>>
>>>> ----
>>>>
>>>> As I said previously I know almost nothing about selinux, so if this
>>>> means anything help is appreciated, otherwise I'm going to see what I
>>>> can find out.
>>>>
>>>> Thanks for the guidance.
>>>>
>>>> On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh at redhat.com>
>>>> wrote:
>>>>> Robert J. Carr wrote:
>>>>>> Hopefully this is a quick question to those that know SELinux more
>>>>>> than I do, which wouldn't be very hard to accomplish.
>>>>>>
>>>>>> I'm migrating a (working) environment from one server running
>>>>>> Fedora 7 to another running Fedora 9.  After pulling my hair out
>>>>>> for most of the day I've found out the problem is with SELinux
>>>>>> because when I turned it off temporarily everything worked fine.
>>>>>>
>>>>>> Not to get into too much detail, but my problem came from apache
>>>>>> not being able to access a file (although the error isn't quite
>>>>>> that clear).  Between the working environment and the non-working
>>>>>> environment I can only see a couple differences in the selinux
>>>>>> config files in /etc, but these have never been touched in either
>>>>>> instance.
>>>>>>
>>>>>> The context labels are a bit different too.  The working
>>>>>> environment has these selinux context labels:
>>>>>>
>>>>>>   user_u:object_r:httpd_sys_content_t
>>>>>>
>>>>>> But the non-working environment has these context labels:
>>>>>>
>>>>>>   unconfined_u:object_r:httpd_sys_content_t:s0
>>>>>>
>>>>>> It seems to get an extra field and the user changes to
>>>>>> unconfined.  Is this relevant?
>>>>>>
>>>>>> There is nothing else that I can find different, is there anything
>>>>>> else that could be the problem?
>>>>>>
>>>>>> Any advice would be greatly appreciated.
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> Also pipe them through audit2why it might tell you you need to turn
>>>>> on a boolean.
>>>>>
>>>>> grep http /var/log/audit/audit.log | audit2allow -w
>>> OK, I don't know where your trac.db file is, so let's say
>>> it's /srv/www/trac/db/trac.db
>>>
>>> See if this helps:
>>> # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
>>>
>>> Cheers, Paul.
>>>
>>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Resending with fixed text.

man httpd_selinux

Explains a lot of it.

# semanage fcontext -a -t httpd_sys_script_rw_t '/srv/www/trac(/.*)?'
# restorecon -R -v /srv/www

Is better then chcon since it will survive a relebel.

But this is revealing a bug in policy.  This is supposed to work out of
the box with the httpd_unified boolean turned on.  But the policy to do
this was accidently removed.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjBe1YACgkQrlYvE4MpobOMdACfc4FxXzfSjhxCTaMsMv/KIYKa
pgkAn0rvEjLA/dYEmpm/BEXHvRxTk//r
=5c1o
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list