changes from fedora 7 to 9

Paul Howarth paul at city-fan.org
Mon Sep 8 08:55:28 UTC 2008 

Robert J. Carr wrote:
> Thanks Paul!  I put that label (httpd_sys_script_rw_t) on the trac.db
> file itself (not using -R as you suggested) and it worked.
> 
> So now for the whole teach a guy how to fish part.  Is this a new
> label for selinux in Fedora 9?  In my other working environment in
> Fedora 7 all files (including trac.db) are labeled with
> httpd_sys_content_t.  What's different?
> 
> Is there some guide that tells you the labels you should be using for
> specific types of httpd files?
> 
> Thanks again for the help ... it is greatly appreciated.
> 
> 
> On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul at city-fan.org> wrote:
>> On Fri, 5 Sep 2008 09:16:11 -0700
>> "Robert J. Carr" <rjcarr at gmail.com> wrote:
>>
>>> Thanks Paul and Daniel-
>>>
>>> I piped the logs through audit2why and here's what it is saying:
>>>
>>> ----
>>>
>>> type=AVC msg=audit(1220631048.301:1541): avc:  denied  { write } for
>>> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
>>>
>>> Was caused by:
>>> Missing type enforcement (TE) allow rule.
>>>
>>> You can use audit2allow to generate a loadable module to allow this
>>> access.
>>>
>>> ----
>>>
>>> As I said previously I know almost nothing about selinux, so if this
>>> means anything help is appreciated, otherwise I'm going to see what I
>>> can find out.
>>>
>>> Thanks for the guidance.

As Dan suggested, "man httpd_selinux" lists the available context types 
for web applications that don't have their own specific types (bugzilla 
is an example of an app that has its own types).

I find a reasonable rule of thumb is:
* CGI scripts need to be httpd_script_exec_t
* Files/directories that needs to be writeable by the apache user or 
group should be httpd_sys_script_rw_t
* Everything else should be httpd_sys_content_t

In your case, you may find that just setting the context of trac.db 
fixes the immediate problem but you may have issues e.g. with adding 
attachments to trac wiki pages, hence the suggestion to do all of 
/srv/www/trac

Paul.

More information about the fedora-selinux-list mailing list