Re: changes from fedora 7 to 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Paul and Daniel-

I piped the logs through audit2why and here's what it is saying:

----

type=AVC msg=audit(1220631048.301:1541): avc:  denied  { write } for
pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

----

As I said previously I know almost nothing about selinux, so if this
means anything help is appreciated, otherwise I'm going to see what I
can find out.

Thanks for the guidance.

On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> Robert J. Carr wrote:
>> Hopefully this is a quick question to those that know SELinux more
>> than I do, which wouldn't be very hard to accomplish.
>>
>> I'm migrating a (working) environment from one server running Fedora 7
>> to another running Fedora 9.  After pulling my hair out for most of
>> the day I've found out the problem is with SELinux because when I
>> turned it off temporarily everything worked fine.
>>
>> Not to get into too much detail, but my problem came from apache not
>> being able to access a file (although the error isn't quite that
>> clear).  Between the working environment and the non-working
>> environment I can only see a couple differences in the selinux config
>> files in /etc, but these have never been touched in either instance.
>>
>> The context labels are a bit different too.  The working environment
>> has these selinux context labels:
>>
>>   user_u:object_r:httpd_sys_content_t
>>
>> But the non-working environment has these context labels:
>>
>>   unconfined_u:object_r:httpd_sys_content_t:s0
>>
>> It seems to get an extra field and the user changes to unconfined.  Is
>> this relevant?
>>
>> There is nothing else that I can find different, is there anything
>> else that could be the problem?
>>
>> Any advice would be greatly appreciated.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Also pipe them through audit2why it might tell you you need to turn on a
> boolean.
>
> grep http /var/log/audit/audit.log | audit2allow -w
>
>

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux