selinux is a pain

Daniel J Walsh dwalsh at redhat.com
Wed Sep 21 16:02:48 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/21/2011 11:37 AM, David Quigley wrote:
> On 09/21/2011 09:24, Daniel J Walsh wrote: On 09/20/2011 07:37 PM,
> Martín Marqués wrote:
>>>> 2011/9/20 David Quigley <selinux at davequigley.com>:
>>>>> On 09/20/2011 16:17, Martín Marqués wrote:
>>>>>> 
>>>>>> Yes, I get selinux alerts. I stated them in an earlier
>>>>>> mail.
>>>>>> 
>>>>>> From the alerts, the only one that gave me trouble was 
>>>>>> mod_python, and basically trac.
>>>>>> 
>>>>>> Also, apache couldn't conect to the PostgreSQL server,
>>>>>> but that I solved easilly.
>>>>>> 
>>>>>> 
>>>>> 
>>>>> You mentioned earlier in the thread that you changed the
>>>>> location of some things. Could you mention the
>>>>> customizations you've done so Dan or I can help you with
>>>>> updating your file contexts properly? Also posting your AVC
>>>>> denials to the fedora SELinux list would help us figure out
>>>>> if its your setup or if its the policy itself that is
>>>>> wrong. I guess you could post them here as well if people
>>>>> are interested.
>>>> 
>>>> As I sad. Trac repos are at /var/lib/trac/ and append
>>>> permission is needed for the trac logs.
>>>> 
>>>> Also saw some python execution problems from mod_python
>>>> (apache).
>>>> 
>>>> Just now I found this:
>>>> 
>>>> SELinux is preventing /usr/libexec/postfix/bounce from
>>>> search access on the directorio /var/spool/postfix/defer.
>>>> 
>>>> I've seen these before
>>>> 
> 
> 
> The postfix bounce issue is a known problem on RHEL6.  You can get
> a fix for this by downloading a preview of the 6.2 policy in yum 
> repository under
> 
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL6
> 
> 
> [Resending since I think my message got moderated because I sent it
>  from the wrong address]
> 
> A quick search shows that the trac people say to label the trac 
> directory with httpd_sys_content_t (granted this is a bit old since
> its about FC5). It also says to label the svn directory you're
> using httpd_sys_content_rw_t. To make those permenant you would use
> (run as root) semanage fcontext -a -t httpd_sys_content_t
> "/var/lib/trac(/.*)?" and for svn you would do semanage fcontext -a
> -t httpd_sys_content_rw_t "/var/lib/svn(/.*)?" assuming that is
> where your svn path is. After that run restorecon on both of those
> directories so get the contexts setup properly.
> 
> Do those contexts seem reasonable to you Dan? The only thing that
> seems weird to me is that it gives the web server RW access to the
> svn repos. That might be needed for trac and if it is I guess its
> ok but I don't know enough about trac to make an educated decision.
> I also wonder if labeling those directories properly will fix the
> python issue as well.
> 
> Dave
> 
> 

It is fine with me.  Best solution would be to have a label on the
process that is running trac.   But if this all runs within the
httpd_t domain, not much we can do.

I don't recall seeing bug reports on these packages but I guess I can
look into making the label in the selinux-policy package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk56CqgACgkQrlYvE4MpobMBMQCfU1NfwM4EKSgFg3TlC8PR+KFC
B1IAoLqCnWgusQqzTOiq6axPvrc6MxkN
=qclN
-----END PGP SIGNATURE-----

More information about the users mailing list