On 09/21/2011 09:24, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/20/2011 07:37 PM, Martín Marqués wrote: >> 2011/9/20 David Quigley <selinux@xxxxxxxxxxxxxxx>: >>> On 09/20/2011 16:17, Martín Marqués wrote: >>>> >>>> Yes, I get selinux alerts. I stated them in an earlier mail. >>>> >>>> From the alerts, the only one that gave me trouble was >>>> mod_python, and basically trac. >>>> >>>> Also, apache couldn't conect to the PostgreSQL server, but that >>>> I solved easilly. >>>> >>>> >>> >>> You mentioned earlier in the thread that you changed the location >>> of some things. Could you mention the customizations you've done >>> so Dan or I can help you with updating your file contexts >>> properly? Also posting your AVC denials to the fedora SELinux >>> list would help us figure out if its your setup or if its the >>> policy itself that is wrong. I guess you could post them here as >>> well if people are interested. >> >> As I sad. Trac repos are at /var/lib/trac/ and append permission >> is needed for the trac logs. >> >> Also saw some python execution problems from mod_python (apache). >> >> Just now I found this: >> >> SELinux is preventing /usr/libexec/postfix/bounce from search >> access on the directorio /var/spool/postfix/defer. >> >> I've seen these before >> > > > The postfix bounce issue is a known problem on RHEL6. You can get a > fix for this by downloading a preview of the 6.2 policy in yum > repository under > > > http://people.redhat.com/dwalsh/SELinux/RHEL6 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk555YMACgkQrlYvE4MpobO2aQCfTqid8fkxu6wz5ls7xege1Fc9 > +nMAnAzH6pnKJTTEBY79Xyi+dABYwg4g > =zxgL > -----END PGP SIGNATURE----- [Resending since I think my message got moderated because I sent it from the wrong address] A quick search shows that the trac people say to label the trac directory with httpd_sys_content_t (granted this is a bit old since its about FC5). It also says to label the svn directory you're using httpd_sys_content_rw_t. To make those permenant you would use (run as root) semanage fcontext -a -t httpd_sys_content_t "/var/lib/trac(/.*)?" and for svn you would do semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/svn(/.*)?" assuming that is where your svn path is. After that run restorecon on both of those directories so get the contexts setup properly. Do those contexts seem reasonable to you Dan? The only thing that seems weird to me is that it gives the web server RW access to the svn repos. That might be needed for trac and if it is I guess its ok but I don't know enough about trac to make an educated decision. I also wonder if labeling those directories properly will fix the python issue as well. Dave -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
