Bug 595849
Summary: | SELinux prevents dokuwiki from working in FC12 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Laurence Hurst <l.a.hurst> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | cgrim, dwalsh, hedayaty, me, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:cbd0e3717dc44084bdb586596c2e23ab36fa41e07662452f2971d5500eb183f9 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-06-02 14:08:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Laurence Hurst
2010-05-25 18:54:57 UTC
I installed the dokuwiki package on a Fedora 12 install (with web server option at install time) and received the above SELinux denial when I attempted to navigate to http://localhost/dokuwiki/. I received 104 identical SELinux denials in total. The dokuwiki webpage displayes numerous "Creating directory /var/lib/dokuwiki/data/cache/d failed" errors. Applying 'httpd_sys_content_t:s0' to all files in '/var/lib/dokuwiki(/.*)?' seems to fix this. I'm not sure how its done for other packages (I'm new to Fedora but was a Debian user for many years) but I think this either needs documenting or adding to the rpm spec file or the default SELinux policy. Does this entire directory need to be written to by dokuwiki? Fixed in selinux-policy-3.7.19-22.fc13.noarch Miroslav can you add /var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_rw_t,s0) to F12. (In reply to comment #3) > Does this entire directory need to be written to by dokuwiki? > I believe it does. The Dokuwiki package is setup such that the main Dokuwiki files are in /usr/share.dokuwiki with a symlink from /usr/share/dokuwiki/conf -> /etc/dokuwiki and Dokukwiki iteself configured to use /var/lib/dokuwiki/data for its data (where it stores the wiki content as plain text files and its cache). I believe only files it writes to are store in the /var/lib/dokuwiki directory as all the static and config bits are in /usr/share/dokuwiki and /etc/dokuwiki respectively. Ok Miroslav go for it. I've had a few more SELinux hits with this package today. It also needs write access to /etc/dokuwiki(/.*)? and read to /usr/share/dokuwiki(/.*)? If you look at the drupal directory entries in the default SELinux policy exactly the same needs to be applied to the dokuwiki directories for it to work at all (i.e. a stright s/drupal/dokuwiki/ on the drupal policy would render a policy which gets basic functionality working in dokuwiki). I have not been able to get the in-built plugin management web interface to be able to download and install plugins - strangely I'm not getting any SELinux denied messages regarding this but it does works perfectly if I throw SELinux into permissive rather than enforcing mode (but still nothing appears in the audit log) :S If you execute semodule -DB It will turn off all dontaudit rules. Then you should see what is blocking. semodule -B Turns them back on. (In reply to comment #3) > Does this entire directory need to be written to by dokuwiki? > > Fixed in selinux-policy-3.7.19-22.fc13.noarch > > Miroslav can you add > > /var/lib/dokuwiki(/.*)? > gen_context(system_u:object_r:httpd_sys_rw_content_rw_t,s0) > > to F12. Is it really fixed in F13? I installed dokuwiki rpm in F13 system and file structure in /var/lib/dokuwiki/data still has system_u:object_r:var_lib_t:s0 context. [root@atom ~]# ll -Z /var/lib/dokuwiki/data/ drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 attic drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 cache drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 index drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 locks drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 media drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 meta drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 pages drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 tmp Fixed in selinux-policy-3.7.19-36.fc13 I tried it (selinux-policy and selinux-policy-targeted version 3.7.19-36.fc13) from koji, but during installation it throwed this error: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/libexec/telepathy-sofiasip (system_u:object_r:telepathysofiasip_exec_t:s0 and system_u:object_r:telepathy_sofiasip_exec_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! And directories in /var/lib/dokuwiki/data still have system_u:object_r:var_lib_t:s0 context and are not writeable. I am fixing this issue. You can run # semodule -r telepathysofiasip and then try to install selinux-policy-targeted again. Will fix. Updated selinux-policy packages will be available today. selinux-policy-3.7.19-37.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-37.fc13 selinux-policy-3.7.19-37.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-37.fc13 Now it works fine ;-) Thank you very much! This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping For me this bug is already fixed in F13 (as i wrote on 2010-07-15). Thanks for your help. |