-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/21/2011 11:37 AM, David Quigley wrote: > On 09/21/2011 09:24, Daniel J Walsh wrote: On 09/20/2011 07:37 PM, > Martín Marqués wrote: >>>> 2011/9/20 David Quigley <selinux@xxxxxxxxxxxxxxx>: >>>>> On 09/20/2011 16:17, Martín Marqués wrote: >>>>>> >>>>>> Yes, I get selinux alerts. I stated them in an earlier >>>>>> mail. >>>>>> >>>>>> From the alerts, the only one that gave me trouble was >>>>>> mod_python, and basically trac. >>>>>> >>>>>> Also, apache couldn't conect to the PostgreSQL server, >>>>>> but that I solved easilly. >>>>>> >>>>>> >>>>> >>>>> You mentioned earlier in the thread that you changed the >>>>> location of some things. Could you mention the >>>>> customizations you've done so Dan or I can help you with >>>>> updating your file contexts properly? Also posting your AVC >>>>> denials to the fedora SELinux list would help us figure out >>>>> if its your setup or if its the policy itself that is >>>>> wrong. I guess you could post them here as well if people >>>>> are interested. >>>> >>>> As I sad. Trac repos are at /var/lib/trac/ and append >>>> permission is needed for the trac logs. >>>> >>>> Also saw some python execution problems from mod_python >>>> (apache). >>>> >>>> Just now I found this: >>>> >>>> SELinux is preventing /usr/libexec/postfix/bounce from >>>> search access on the directorio /var/spool/postfix/defer. >>>> >>>> I've seen these before >>>> > > > The postfix bounce issue is a known problem on RHEL6. You can get > a fix for this by downloading a preview of the 6.2 policy in yum > repository under > > > http://people.redhat.com/dwalsh/SELinux/RHEL6 > > > [Resending since I think my message got moderated because I sent it > from the wrong address] > > A quick search shows that the trac people say to label the trac > directory with httpd_sys_content_t (granted this is a bit old since > its about FC5). It also says to label the svn directory you're > using httpd_sys_content_rw_t. To make those permenant you would use > (run as root) semanage fcontext -a -t httpd_sys_content_t > "/var/lib/trac(/.*)?" and for svn you would do semanage fcontext -a > -t httpd_sys_content_rw_t "/var/lib/svn(/.*)?" assuming that is > where your svn path is. After that run restorecon on both of those > directories so get the contexts setup properly. > > Do those contexts seem reasonable to you Dan? The only thing that > seems weird to me is that it gives the web server RW access to the > svn repos. That might be needed for trac and if it is I guess its > ok but I don't know enough about trac to make an educated decision. > I also wonder if labeling those directories properly will fix the > python issue as well. > > Dave > > It is fine with me. Best solution would be to have a label on the process that is running trac. But if this all runs within the httpd_t domain, not much we can do. I don't recall seeing bug reports on these packages but I guess I can look into making the label in the selinux-policy package. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk56CqgACgkQrlYvE4MpobMBMQCfU1NfwM4EKSgFg3TlC8PR+KFC B1IAoLqCnWgusQqzTOiq6axPvrc6MxkN =qclN -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
