Hide Forgot
Created attachment 546229 [details] output of ausearch -m AVC -ts 14:45 (when I relabelled /srv) Description of problem: These are my local modifications [root@luther ~]# semanage fcontext -l -C SELinux fcontext type Context /srv/trac(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/trac/.*/cgi-bin/.*gi all files system_u:object_r:httpd_sys_script_exec_t:s0 /srv/trac/.*/plugins/.*\.egg all files system_u:object_r:httpd_sys_script_exec_t:s0 /srv/trac/.*\.db all files system_u:object_r:httpd_sys_rw_content_t:s0 /srv/trac/plugins/.*\.egg all files system_u:object_r:httpd_sys_script_exec_t:s0 /usr/share/statusnet/.*.php? all files system_u:object_r:httpd_user_script_exec_t:s0 /usr/share/wordpress/.*\.php$ all files system_u:object_r:httpd_sys_script_exec_t:s0 /var/lib/dspam(/.*)? all files system_u:object_r:httpd_sys_content_rw_t:s0 /var/www/dav(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 SELinux fcontext Equivalence /usr/share/wordpress/wp-content/upgrade(/.*)? = /usr/share/wordpress/wp-content/uploads/ /srv/mysql = /var/lib/mysql /srv/mysql/mysql.sock = /var/lib/mysql/mysql.sock /srv/trac/htdocs/ = /var/www/html/ [root@luther ~]# and this is the analysis of the log [root@luther ~]# ausearch -m AVC -ts 14:45 |audit2allow #============= httpd_t ============== allow httpd_t git_system_content_t:dir { read search open getattr }; allow httpd_t git_system_content_t:file { read getattr open }; allow httpd_t httpd_sys_script_exec_t:file write; [root@luther ~]# Not sure about httpd_sys_script_exec_t (not sure what's the proper label for .egg files), but the rest is probably result of trac accessing (read-only) git files. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-131.el6.noarch
OK, with fixing issues with *.egg I am down to the additional module which says module myTracGit 1.0; require { type httpd_t; type git_system_content_t; class file { read getattr open }; class dir { read search open getattr }; } #============= httpd_t ============== allow httpd_t git_system_content_t:dir { read search open getattr }; allow httpd_t git_system_content_t:file { read getattr open }; and now Trac seems to work.
I am not sure what I want, whether this module should be included as it is, or whether it should be made into a seboolean.
You probably should use git_read_generic_system_content_files(httpd_t)
Which we have in F16.
Yes, I need to backport it.
Hi Matej, could you please test it with recent selinux-policy version? Thank you in advance.
(In reply to comment #9) > could you please test it with recent selinux-policy version? Sorry, I cannot I am afraid. After some more pieces of miserable experience with marketed as lightweight Trac (it's memory consumption is boundless) I went with blamed to be overweight bugzilla which works like charm with much less memory consumed and hugely bigger functionaity. Never underestimate smarts of Perl hackers !. But no, I won't be installing that beast back on my server just to find out that everything works fine (as I expect it to).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html