Re: changes from fedora 7 to 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert J. Carr wrote:

Thanks Paul!  I put that label (httpd_sys_script_rw_t) on the trac.db
file itself (not using -R as you suggested) and it worked.

So now for the whole teach a guy how to fish part.  Is this a new
label for selinux in Fedora 9?  In my other working environment in
Fedora 7 all files (including trac.db) are labeled with
httpd_sys_content_t.  What's different?

Is there some guide that tells you the labels you should be using for
specific types of httpd files?

Thanks again for the help ... it is greatly appreciated.


On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul@xxxxxxxxxxxx> wrote:

On Fri, 5 Sep 2008 09:16:11 -0700
"Robert J. Carr" <rjcarr@xxxxxxxxx> wrote:


Thanks Paul and Daniel-

I piped the logs through audit2why and here's what it is saying:

----

type=AVC msg=audit(1220631048.301:1541): avc:  denied  { write } for
pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this
access.

----

As I said previously I know almost nothing about selinux, so if this
means anything help is appreciated, otherwise I'm going to see what I
can find out.

Thanks for the guidance.
As Dan suggested, "man httpd_selinux" lists the available context types for web applications that don't have their own specific types (bugzilla is an example of an app that has its own types). 

I find a reasonable rule of thumb is:
* CGI scripts need to be httpd_script_exec_t
* Files/directories that needs to be writeable by the apache user or group should be httpd_sys_script_rw_t 
* Everything else should be httpd_sys_content_t
In your case, you may find that just setting the context of trac.db fixes the immediate problem but you may have issues e.g. with adding attachments to trac wiki pages, hence the suggestion to do all of /srv/www/trac 

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux