Re: selinux is a pain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/21/2011 12:02, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/21/2011 11:37 AM, David Quigley wrote:
>> On 09/21/2011 09:24, Daniel J Walsh wrote: On 09/20/2011 07:37 PM,
>> Martín Marqués wrote:
>>>>> 2011/9/20 David Quigley <selinux@xxxxxxxxxxxxxxx>:
>>>>>> On 09/20/2011 16:17, Martín Marqués wrote:
>>>>>>>
>>>>>>> Yes, I get selinux alerts. I stated them in an earlier
>>>>>>> mail.
>>>>>>>
>>>>>>> From the alerts, the only one that gave me trouble was
>>>>>>> mod_python, and basically trac.
>>>>>>>
>>>>>>> Also, apache couldn't conect to the PostgreSQL server,
>>>>>>> but that I solved easilly.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> You mentioned earlier in the thread that you changed the
>>>>>> location of some things. Could you mention the
>>>>>> customizations you've done so Dan or I can help you with
>>>>>> updating your file contexts properly? Also posting your AVC
>>>>>> denials to the fedora SELinux list would help us figure out
>>>>>> if its your setup or if its the policy itself that is
>>>>>> wrong. I guess you could post them here as well if people
>>>>>> are interested.
>>>>>
>>>>> As I sad. Trac repos are at /var/lib/trac/ and append
>>>>> permission is needed for the trac logs.
>>>>>
>>>>> Also saw some python execution problems from mod_python
>>>>> (apache).
>>>>>
>>>>> Just now I found this:
>>>>>
>>>>> SELinux is preventing /usr/libexec/postfix/bounce from
>>>>> search access on the directorio /var/spool/postfix/defer.
>>>>>
>>>>> I've seen these before
>>>>>
>>
>>
>> The postfix bounce issue is a known problem on RHEL6.  You can get
>> a fix for this by downloading a preview of the 6.2 policy in yum
>> repository under
>>
>>
>> http://people.redhat.com/dwalsh/SELinux/RHEL6
>>
>>
>> [Resending since I think my message got moderated because I sent it
>>  from the wrong address]
>>
>> A quick search shows that the trac people say to label the trac
>> directory with httpd_sys_content_t (granted this is a bit old since
>> its about FC5). It also says to label the svn directory you're
>> using httpd_sys_content_rw_t. To make those permenant you would use
>> (run as root) semanage fcontext -a -t httpd_sys_content_t
>> "/var/lib/trac(/.*)?" and for svn you would do semanage fcontext -a
>> -t httpd_sys_content_rw_t "/var/lib/svn(/.*)?" assuming that is
>> where your svn path is. After that run restorecon on both of those
>> directories so get the contexts setup properly.
>>
>> Do those contexts seem reasonable to you Dan? The only thing that
>> seems weird to me is that it gives the web server RW access to the
>> svn repos. That might be needed for trac and if it is I guess its
>> ok but I don't know enough about trac to make an educated decision.
>> I also wonder if labeling those directories properly will fix the
>> python issue as well.
>>
>> Dave
>>
>>
>
> It is fine with me.  Best solution would be to have a label on the
> process that is running trac.   But if this all runs within the
> httpd_t domain, not much we can do.
>
> I don't recall seeing bug reports on these packages but I guess I can
> look into making the label in the selinux-policy package.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk56CqgACgkQrlYvE4MpobMBMQCfU1NfwM4EKSgFg3TlC8PR+KFC
> B1IAoLqCnWgusQqzTOiq6axPvrc6MxkN
> =qclN
> -----END PGP SIGNATURE-----

While looking around for information on trac I noticed a policy module 
that they have written which was based on FC4 [1]. It might be worth 
looking at and seeing if we can make a better policy than just running 
as httpd.

Dave

[1] http://trac.edgewall.org/wiki/TracWithSeLinux

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux