Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
On Thu, 4 Sep 2008 20:07:10 -0700 "Robert J. Carr" rjcarr@gmail.com wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
You need to find the actual SELinux denials that are happening and post them. They'll be in /var/log/audit/audit.log if you're running the audit daemon, and /var/log/messages of you're not.
Paul.
Robert J. Carr wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a boolean.
grep http /var/log/audit/audit.log | audit2allow -w
Thanks Paul and Daniel-
I piped the logs through audit2why and here's what it is saying:
----
type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
----
As I said previously I know almost nothing about selinux, so if this means anything help is appreciated, otherwise I'm going to see what I can find out.
Thanks for the guidance.
On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh dwalsh@redhat.com wrote:
Robert J. Carr wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a boolean.
grep http /var/log/audit/audit.log | audit2allow -w
On Fri, 5 Sep 2008 09:16:11 -0700 "Robert J. Carr" rjcarr@gmail.com wrote:
Thanks Paul and Daniel-
I piped the logs through audit2why and here's what it is saying:
type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
As I said previously I know almost nothing about selinux, so if this means anything help is appreciated, otherwise I'm going to see what I can find out.
Thanks for the guidance.
On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh dwalsh@redhat.com wrote:
Robert J. Carr wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a boolean.
grep http /var/log/audit/audit.log | audit2allow -w
OK, I don't know where your trac.db file is, so let's say it's /srv/www/trac/db/trac.db
See if this helps: # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
Cheers, Paul.
Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db file itself (not using -R as you suggested) and it worked.
So now for the whole teach a guy how to fish part. Is this a new label for selinux in Fedora 9? In my other working environment in Fedora 7 all files (including trac.db) are labeled with httpd_sys_content_t. What's different?
Is there some guide that tells you the labels you should be using for specific types of httpd files?
Thanks again for the help ... it is greatly appreciated.
On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth paul@city-fan.org wrote:
On Fri, 5 Sep 2008 09:16:11 -0700 "Robert J. Carr" rjcarr@gmail.com wrote:
Thanks Paul and Daniel-
I piped the logs through audit2why and here's what it is saying:
type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
As I said previously I know almost nothing about selinux, so if this means anything help is appreciated, otherwise I'm going to see what I can find out.
Thanks for the guidance.
On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh dwalsh@redhat.com wrote:
Robert J. Carr wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a boolean.
grep http /var/log/audit/audit.log | audit2allow -w
OK, I don't know where your trac.db file is, so let's say it's /srv/www/trac/db/trac.db
See if this helps: # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
Cheers, Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Robert J. Carr wrote:
Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db file itself (not using -R as you suggested) and it worked.
So now for the whole teach a guy how to fish part. Is this a new label for selinux in Fedora 9? In my other working environment in Fedora 7 all files (including trac.db) are labeled with httpd_sys_content_t. What's different?
Is there some guide that tells you the labels you should be using for specific types of httpd files?
Thanks again for the help ... it is greatly appreciated.
On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth paul@city-fan.org wrote:
On Fri, 5 Sep 2008 09:16:11 -0700 "Robert J. Carr" rjcarr@gmail.com wrote:
Thanks Paul and Daniel-
I piped the logs through audit2why and here's what it is saying:
type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
As I said previously I know almost nothing about selinux, so if this means anything help is appreciated, otherwise I'm going to see what I can find out.
Thanks for the guidance.
On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh dwalsh@redhat.com wrote:
Robert J. Carr wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a boolean.
grep http /var/log/audit/audit.log | audit2allow -w
OK, I don't know where your trac.db file is, so let's say it's /srv/www/trac/db/trac.db
See if this helps: # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
Cheers, Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
man httpd_selinux
Explains a lot of it.
# semanage fcontext -a -t httpd_sys_script_rw_t '/srv/www/trac(/.*)?'
But this is revealing a bug in policy. This is supposed to work out of the box with the httpd_unified boolean turned on. But the policy to do this was accidently removed.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Daniel J Walsh wrote:
Robert J. Carr wrote:
Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db file itself (not using -R as you suggested) and it worked.
So now for the whole teach a guy how to fish part. Is this a new label for selinux in Fedora 9? In my other working environment in Fedora 7 all files (including trac.db) are labeled with httpd_sys_content_t. What's different?
Is there some guide that tells you the labels you should be using for specific types of httpd files?
Thanks again for the help ... it is greatly appreciated.
On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth paul@city-fan.org wrote:
On Fri, 5 Sep 2008 09:16:11 -0700 "Robert J. Carr" rjcarr@gmail.com wrote:
Thanks Paul and Daniel-
I piped the logs through audit2why and here's what it is saying:
type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
As I said previously I know almost nothing about selinux, so if this means anything help is appreciated, otherwise I'm going to see what I can find out.
Thanks for the guidance.
On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh dwalsh@redhat.com wrote:
Robert J. Carr wrote:
Hopefully this is a quick question to those that know SELinux more than I do, which wouldn't be very hard to accomplish.
I'm migrating a (working) environment from one server running Fedora 7 to another running Fedora 9. After pulling my hair out for most of the day I've found out the problem is with SELinux because when I turned it off temporarily everything worked fine.
Not to get into too much detail, but my problem came from apache not being able to access a file (although the error isn't quite that clear). Between the working environment and the non-working environment I can only see a couple differences in the selinux config files in /etc, but these have never been touched in either instance.
The context labels are a bit different too. The working environment has these selinux context labels:
user_u:object_r:httpd_sys_content_t
But the non-working environment has these context labels:
unconfined_u:object_r:httpd_sys_content_t:s0
It seems to get an extra field and the user changes to unconfined. Is this relevant?
There is nothing else that I can find different, is there anything else that could be the problem?
Any advice would be greatly appreciated.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also pipe them through audit2why it might tell you you need to turn on a boolean.
grep http /var/log/audit/audit.log | audit2allow -w
OK, I don't know where your trac.db file is, so let's say it's /srv/www/trac/db/trac.db
See if this helps: # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
Cheers, Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Resending with fixed text.
man httpd_selinux
Explains a lot of it.
# semanage fcontext -a -t httpd_sys_script_rw_t '/srv/www/trac(/.*)?' # restorecon -R -v /srv/www
Is better then chcon since it will survive a relebel.
But this is revealing a bug in policy. This is supposed to work out of the box with the httpd_unified boolean turned on. But the policy to do this was accidently removed.
Robert J. Carr wrote:
Thanks Paul! I put that label (httpd_sys_script_rw_t) on the trac.db file itself (not using -R as you suggested) and it worked.
So now for the whole teach a guy how to fish part. Is this a new label for selinux in Fedora 9? In my other working environment in Fedora 7 all files (including trac.db) are labeled with httpd_sys_content_t. What's different?
Is there some guide that tells you the labels you should be using for specific types of httpd files?
Thanks again for the help ... it is greatly appreciated.
On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth paul@city-fan.org wrote:
On Fri, 5 Sep 2008 09:16:11 -0700 "Robert J. Carr" rjcarr@gmail.com wrote:
Thanks Paul and Daniel-
I piped the logs through audit2why and here's what it is saying:
type=AVC msg=audit(1220631048.301:1541): avc: denied { write } for pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
As I said previously I know almost nothing about selinux, so if this means anything help is appreciated, otherwise I'm going to see what I can find out.
Thanks for the guidance.
As Dan suggested, "man httpd_selinux" lists the available context types for web applications that don't have their own specific types (bugzilla is an example of an app that has its own types).
I find a reasonable rule of thumb is: * CGI scripts need to be httpd_script_exec_t * Files/directories that needs to be writeable by the apache user or group should be httpd_sys_script_rw_t * Everything else should be httpd_sys_content_t
In your case, you may find that just setting the context of trac.db fixes the immediate problem but you may have issues e.g. with adding attachments to trac wiki pages, hence the suggestion to do all of /srv/www/trac
Paul.
selinux@lists.fedoraproject.org