selinux is a pain
David Quigley
selinux at davequigley.com
Wed Sep 21 16:14:02 UTC 2011
On 09/21/2011 12:02, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/21/2011 11:37 AM, David Quigley wrote:
>> On 09/21/2011 09:24, Daniel J Walsh wrote: On 09/20/2011 07:37 PM,
>> Martín Marqués wrote:
>>>>> 2011/9/20 David Quigley <selinux at davequigley.com>:
>>>>>> On 09/20/2011 16:17, Martín Marqués wrote:
>>>>>>>
>>>>>>> Yes, I get selinux alerts. I stated them in an earlier
>>>>>>> mail.
>>>>>>>
>>>>>>> From the alerts, the only one that gave me trouble was
>>>>>>> mod_python, and basically trac.
>>>>>>>
>>>>>>> Also, apache couldn't conect to the PostgreSQL server,
>>>>>>> but that I solved easilly.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> You mentioned earlier in the thread that you changed the
>>>>>> location of some things. Could you mention the
>>>>>> customizations you've done so Dan or I can help you with
>>>>>> updating your file contexts properly? Also posting your AVC
>>>>>> denials to the fedora SELinux list would help us figure out
>>>>>> if its your setup or if its the policy itself that is
>>>>>> wrong. I guess you could post them here as well if people
>>>>>> are interested.
>>>>>
>>>>> As I sad. Trac repos are at /var/lib/trac/ and append
>>>>> permission is needed for the trac logs.
>>>>>
>>>>> Also saw some python execution problems from mod_python
>>>>> (apache).
>>>>>
>>>>> Just now I found this:
>>>>>
>>>>> SELinux is preventing /usr/libexec/postfix/bounce from
>>>>> search access on the directorio /var/spool/postfix/defer.
>>>>>
>>>>> I've seen these before
>>>>>
>>
>>
>> The postfix bounce issue is a known problem on RHEL6. You can get
>> a fix for this by downloading a preview of the 6.2 policy in yum
>> repository under
>>
>>
>> http://people.redhat.com/dwalsh/SELinux/RHEL6
>>
>>
>> [Resending since I think my message got moderated because I sent it
>> from the wrong address]
>>
>> A quick search shows that the trac people say to label the trac
>> directory with httpd_sys_content_t (granted this is a bit old since
>> its about FC5). It also says to label the svn directory you're
>> using httpd_sys_content_rw_t. To make those permenant you would use
>> (run as root) semanage fcontext -a -t httpd_sys_content_t
>> "/var/lib/trac(/.*)?" and for svn you would do semanage fcontext -a
>> -t httpd_sys_content_rw_t "/var/lib/svn(/.*)?" assuming that is
>> where your svn path is. After that run restorecon on both of those
>> directories so get the contexts setup properly.
>>
>> Do those contexts seem reasonable to you Dan? The only thing that
>> seems weird to me is that it gives the web server RW access to the
>> svn repos. That might be needed for trac and if it is I guess its
>> ok but I don't know enough about trac to make an educated decision.
>> I also wonder if labeling those directories properly will fix the
>> python issue as well.
>>
>> Dave
>>
>>
>
> It is fine with me. Best solution would be to have a label on the
> process that is running trac. But if this all runs within the
> httpd_t domain, not much we can do.
>
> I don't recall seeing bug reports on these packages but I guess I can
> look into making the label in the selinux-policy package.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk56CqgACgkQrlYvE4MpobMBMQCfU1NfwM4EKSgFg3TlC8PR+KFC
> B1IAoLqCnWgusQqzTOiq6axPvrc6MxkN
> =qclN
> -----END PGP SIGNATURE-----
While looking around for information on trac I noticed a policy module
that they have written which was based on FC4 [1]. It might be worth
looking at and seeing if we can make a better policy than just running
as httpd.
Dave
[1] http://trac.edgewall.org/wiki/TracWithSeLinux
More information about the users
mailing list