Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db file itself (not using -R as you suggested) and it worked.
So now for the whole teach a guy how to fish part. Is this a new label for selinux in Fedora 9? In my other working environment in Fedora 7 all files (including trac.db) are labeled with httpd_sys_content_t. What's different?
Is there some guide that tells you the labels you should be using for specific types of httpd files?
Thanks again for the help ... it is greatly appreciated.
On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth paul@city-fan.org wrote:
On Fri, 5 Sep 2008 09:16:11 -0700 "Robert J. Carr" rjcarr@gmail.com wrote:
Thanks Paul and Daniel-
I piped the logs through audit2why and here's what it is saying:
type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
As I said previously I know almost nothing about selinux, so if this means anything help is appreciated, otherwise I'm going to see what I can find out.
Thanks for the guidance.
On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh dwalsh@redhat.com wrote:
Robert J. Carr wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a boolean.
grep http /var/log/audit/audit.log | audit2allow -w
OK, I don't know where your trac.db file is, so let's say it's /srv/www/trac/db/trac.db
See if this helps: # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
Cheers, Paul.