changes from fedora 7 to 9

Fri Sep 5 17:50:35 UTC 2008

Thanks Paul!  I put that label (httpd_sys_script_rw_t) on the trac.db
file itself (not using -R as you suggested) and it worked.

So now for the whole teach a guy how to fish part.  Is this a new
label for selinux in Fedora 9?  In my other working environment in
Fedora 7 all files (including trac.db) are labeled with
httpd_sys_content_t.  What's different?

Is there some guide that tells you the labels you should be using for
specific types of httpd files?

Thanks again for the help ... it is greatly appreciated.

On Fri, Sep 5, 2008 at 10:35 AM, Paul Howarth <paul at city-fan.org> wrote:
> On Fri, 5 Sep 2008 09:16:11 -0700
> "Robert J. Carr" <rjcarr at gmail.com> wrote:
>
>> Thanks Paul and Daniel-
>>
>> I piped the logs through audit2why and here's what it is saying:
>>
>> ----
>>
>> type=AVC msg=audit(1220631048.301:1541): avc:  denied  { write } for
>> pid=8572 comm="httpd" name="trac.db" dev=dm-0 ino=2148813854
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
>>
>> Was caused by:
>> Missing type enforcement (TE) allow rule.
>>
>> You can use audit2allow to generate a loadable module to allow this
>> access.
>>
>> ----
>>
>> As I said previously I know almost nothing about selinux, so if this
>> means anything help is appreciated, otherwise I'm going to see what I
>> can find out.
>>
>> Thanks for the guidance.
>>
>> On Fri, Sep 5, 2008 at 7:19 AM, Daniel J Walsh <dwalsh at redhat.com>
>> wrote:
>> > Robert J. Carr wrote:
>> >> Hopefully this is a quick question to those that know SELinux more
>> >> than I do, which wouldn't be very hard to accomplish.
>> >>
>> >> I'm migrating a (working) environment from one server running
>> >> Fedora 7 to another running Fedora 9.  After pulling my hair out
>> >> for most of the day I've found out the problem is with SELinux
>> >> because when I turned it off temporarily everything worked fine.
>> >>
>> >> Not to get into too much detail, but my problem came from apache
>> >> not being able to access a file (although the error isn't quite
>> >> that clear).  Between the working environment and the non-working
>> >> environment I can only see a couple differences in the selinux
>> >> config files in /etc, but these have never been touched in either
>> >> instance.
>> >>
>> >> The context labels are a bit different too.  The working
>> >> environment has these selinux context labels:
>> >>
>> >>   user_u:object_r:httpd_sys_content_t
>> >>
>> >> But the non-working environment has these context labels:
>> >>
>> >>   unconfined_u:object_r:httpd_sys_content_t:s0
>> >>
>> >> It seems to get an extra field and the user changes to
>> >> unconfined.  Is this relevant?
>> >>
>> >> There is nothing else that I can find different, is there anything
>> >> else that could be the problem?
>> >>
>> >> Any advice would be greatly appreciated.
>> >>
>> >> --
>> >> fedora-selinux-list mailing list
>> >> fedora-selinux-list at redhat.com
>> >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> > Also pipe them through audit2why it might tell you you need to turn
>> > on a boolean.
>> >
>> > grep http /var/log/audit/audit.log | audit2allow -w
>
> OK, I don't know where your trac.db file is, so let's say
> it's /srv/www/trac/db/trac.db
>
> See if this helps:
> # chcon -R -t httpd_sys_script_rw_t /srv/www/trac/
>
> Cheers, Paul.
>
>