Edgewall Software

SELinux Hints

Trac won't work out of the box with SELinux enabled systems, since even if you chown the Trac environment to apache it still won't be allowed to write there. These steps should help you get a working install without having to disable SELinux. I was using the targeted policy on an installation of Fedora Core 4 Test 3, so paths might be specific to this configuration, YMMV.

You'll also need to install the selinux-policy-targeted-sources package to make use of the rules here.

I found that using /var/www/svn for the base dir for subversion repositories (as per comments in /etc/httpd.d/subversion.conf) eliminated the need for any extra configuration as far as access to the subversion repository goes.

Configure the Trac access rules

This will set up SELinux so that the server can read and modify the trac environment. Currently only mod_python and cgi setups are defined.

Put the following in a new file /etc/selinux/targeted/src/policy/domains/program/trac.te:

# trac domains
type trac_var_t, file_type, sysadmfile;

# enable trac under mod_python
bool trac_mod_python true;

# enable trac as cgi
bool trac_cgi true;

# grant apache appropriate permissions
ifdef(`apache.te', `
# mod_python permissions
if (trac_mod_python) {
  create_dir_file(httpd_t, trac_var_t)
}
# cgi permissions
if (trac_cgi) {
  create_dir_file(httpd_sys_script_t, trac_var_t)
}
')

This configuration

  1. Declares trac_var_t as a type of file
  2. Defines confiuration variable to enable various trac setups
  3. Checks that the apache policy is available
  4. If trac_mod_python is true, allows httpd_t (the apache security context) to
    • Create, read, and write trac_var_t files/directories
  5. If trac_cgi is true, allows httpd_sys_script_t (the apache cgi security context) to
    • Create, read, and write trac_var_t files/directories

You can use setsebool -P trac_cgi <true/false> or setsebool -P trac_mod_python <true/false> as appropriate to enable only the configuration you are using, though there is little harm in leaving them both active.

Configure the Trac file contexts

This defines which files are considered to be trac_var_t and should be placed in /etc/selinux/targeted/src/policy/file_contexts/program/trac.fc. I used /var/trac to store my Trac environments, change that path as appropriate.

/var/trac(/.*)?                 system_u:object_r:trac_var_t
<python site packages dir>/neo_cgi.so       system_u:object_r:texrel_shlib_t

You should replace <python site packages dir> with the output of python -c 'from distutils.sysconfig import get_python_lib; print get_python_lib()'

NB. On some earlier versions of SELinux (specifically, on CentOS 4.2 or RHEL4) the texrel_shlib_t context is not valid. I replaced this with shlib_t and it seems to work OK.

NB. FC4 currently has shlib_t and texrel_shlib_t as alias for lib_t. Also the lib_t isn't granted the rights it used to have, hence you need to add 'allow httpd_t self:process execheap;' to your 'local.te' file located in '/etc/selinux/targeted/src/policy/domains/misc'. 'make reload' in '/etc/selinux/targeted/src/policy' is then needed to compile and install the new policy. Failure to do so will result in clearsilver not being found when trying to log in.

This does the following:

  1. Anything underneath /var/trac (including /var/trac itself) is of type trac_var_t
  2. neo_cgi.so is labeled as having text relocations which is necessary for the clearsilver module to be loaded

(See comment about about the texrel_shlib_t context.)

Load the new policy

To load the new policy switch to the /etc/selinux/targeted/src/policy directory and run make load followed by make install. You will then need to apply the file contexts by running fixfiles restore /var/trac and fixfiles restore /usr/lib/python2.4/site-packages/neo_cgi.so (replace the path with where ever the site-packages for the version of python you are using is).

Troubleshooting

If you still have problems after doing all this there are a few things you can check.

  • Apache cannot access the trac environments
    • ls -lZR /var/trac will tell you the file contexts for Trac's environments. If they are not system_u:object_r:trac_var_t you may need to run the fixfiles bit again.
    • Make sure the files are readable by the apache user according to classic unix permissions, SELinux augments, not replaces this. (i.e. chown -R apache /var/trac)
  • Apache cannot access the subversion repository
    • This isn't covered here, the subversion documentation (the FAQ for sure) has some information on setting up subversion with SELinux for access with apache

alternate method

There has also been some luck just by simply changing the security context using chcon to match that of apache for trac project location such as

# chcon -R -t httpd_sys_content_t /home/www/trac/

alternate method 2

Newer versions of Fedora introduce a new type, httpd_sys_script_rw_t. To make it work with trac for every project you must do:

chcon -R -t httpd_sys_script_rw_t /var/www/trac/project/db

CentOS 6.3

I found the following set of commands helpful for CentOS 6.3, using PostgreSQL as the database:

chcon -R -t httpd_sys_content_t /var/trac/official
chcon -R -t httpd_sys_script_rw_t /var/trac/official
setsebool -P httpd_can_network_connect on
Last modified 15 months ago Last modified on Jan 11, 2013 10:55:02 PM