On 09/21/2011 12:02, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/21/2011 11:37 AM, David Quigley wrote: >> On 09/21/2011 09:24, Daniel J Walsh wrote: On 09/20/2011 07:37 PM, >> Martín Marqués wrote: >>>>> 2011/9/20 David Quigley <selinux@xxxxxxxxxxxxxxx>: >>>>>> On 09/20/2011 16:17, Martín Marqués wrote: >>>>>>> >>>>>>> Yes, I get selinux alerts. I stated them in an earlier >>>>>>> mail. >>>>>>> >>>>>>> From the alerts, the only one that gave me trouble was >>>>>>> mod_python, and basically trac. >>>>>>> >>>>>>> Also, apache couldn't conect to the PostgreSQL server, >>>>>>> but that I solved easilly. >>>>>>> >>>>>>> >>>>>> >>>>>> You mentioned earlier in the thread that you changed the >>>>>> location of some things. Could you mention the >>>>>> customizations you've done so Dan or I can help you with >>>>>> updating your file contexts properly? Also posting your AVC >>>>>> denials to the fedora SELinux list would help us figure out >>>>>> if its your setup or if its the policy itself that is >>>>>> wrong. I guess you could post them here as well if people >>>>>> are interested. >>>>> >>>>> As I sad. Trac repos are at /var/lib/trac/ and append >>>>> permission is needed for the trac logs. >>>>> >>>>> Also saw some python execution problems from mod_python >>>>> (apache). >>>>> >>>>> Just now I found this: >>>>> >>>>> SELinux is preventing /usr/libexec/postfix/bounce from >>>>> search access on the directorio /var/spool/postfix/defer. >>>>> >>>>> I've seen these before >>>>> >> >> >> The postfix bounce issue is a known problem on RHEL6. You can get >> a fix for this by downloading a preview of the 6.2 policy in yum >> repository under >> >> >> http://people.redhat.com/dwalsh/SELinux/RHEL6 >> >> >> [Resending since I think my message got moderated because I sent it >> from the wrong address] >> >> A quick search shows that the trac people say to label the trac >> directory with httpd_sys_content_t (granted this is a bit old since >> its about FC5). It also says to label the svn directory you're >> using httpd_sys_content_rw_t. To make those permenant you would use >> (run as root) semanage fcontext -a -t httpd_sys_content_t >> "/var/lib/trac(/.*)?" and for svn you would do semanage fcontext -a >> -t httpd_sys_content_rw_t "/var/lib/svn(/.*)?" assuming that is >> where your svn path is. After that run restorecon on both of those >> directories so get the contexts setup properly. >> >> Do those contexts seem reasonable to you Dan? The only thing that >> seems weird to me is that it gives the web server RW access to the >> svn repos. That might be needed for trac and if it is I guess its >> ok but I don't know enough about trac to make an educated decision. >> I also wonder if labeling those directories properly will fix the >> python issue as well. >> >> Dave >> >> > > It is fine with me. Best solution would be to have a label on the > process that is running trac. But if this all runs within the > httpd_t domain, not much we can do. > > I don't recall seeing bug reports on these packages but I guess I can > look into making the label in the selinux-policy package. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk56CqgACgkQrlYvE4MpobMBMQCfU1NfwM4EKSgFg3TlC8PR+KFC > B1IAoLqCnWgusQqzTOiq6axPvrc6MxkN > =qclN > -----END PGP SIGNATURE----- While looking around for information on trac I noticed a policy module that they have written which was based on FC4 [1]. It might be worth looking at and seeing if we can make a better policy than just running as httpd. Dave [1] http://trac.edgewall.org/wiki/TracWithSeLinux -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
