| | 1 | = SELinux Hints = |
| | 2 | |
| | 3 | Trac won't work out of the box with SELinux enabled systems, since even if you chown the Trac environment to apache it still won't be allowed to write there. These steps should help you get a working install without having to disable SELinux. I was using the targeted policy on an installation of Fedora Core 4 Test 3, so paths might be specific to this configuration, YMMV. |
| | 4 | |
| | 5 | I found that using {{{/var/www/svn}}} for the base dir for subversion repositories (as per comments in {{{/etc/httpd.d/subversion.conf}}}) eliminated the need for any extra configuration as far as access to the subversion repository goes. |
| | 6 | |
| | 7 | == Configure the Trac access rules == |
| | 8 | |
| | 9 | This will set up SELinux so that the server can read and modify the trac environment. Currently only mod_python and cgi setups are defined. |
| | 10 | |
| | 11 | Put the following in a new file {{{/etc/selinux/targeted/src/policy/domains/program/trac.te}}}: |
| | 12 | |
| | 13 | {{{ |
| | 14 | # trac domains |
| | 15 | type trac_var_t, file_type, sysadmfile; |
| | 16 | |
| | 17 | # enable trac under mod_python |
| | 18 | bool trac_mod_python true; |
| | 19 | |
| | 20 | # enable trac as cgi |
| | 21 | bool trac_cgi true; |
| | 22 | |
| | 23 | # grant apache appropriate permissions |
| | 24 | ifdef(`apache.te', ` |
| | 25 | # mod_python permissions |
| | 26 | if (trac_mod_python) { |
| | 27 | create_dir_file(httpd_t, trac_var_t) |
| | 28 | } |
| | 29 | # cgi permissions |
| | 30 | if (trac_cgi) { |
| | 31 | create_dir_file(httpd_sys_script_t, trac_var_t) |
| | 32 | } |
| | 33 | ') |
| | 34 | }}} |
| | 35 | |
| | 36 | This configuration |
| | 37 | |
| | 38 | 1. Declares trac_var_t as a type of file |
| | 39 | 1. Defines confiuration variable to enable various trac setups |
| | 40 | 1. Checks that the apache policy is available |
| | 41 | 1. If trac_mod_python is true, allows {{{httpd_t}}} (the apache security context) to |
| | 42 | * Create, read, and write {{{trac_var_t}}} files/directories |
| | 43 | 1. If trac_cgi is true, allows {{{httpd_sys_script_t}}} (the apache cgi security context) to |
| | 44 | * Create, read, and write {{{trac_var_t}}} files/directories |
| | 45 | |
| | 46 | You can use {{{setsebool -P trac_cgi <true/false>}}} or {{{setsebool -R trac_mod_python <true/false>}}} as appropriate to enable only the configuration you are using, though there is little harm in leaving them both active. |
| | 47 | |
| | 48 | == Configure the Trac file contexts == |
| | 49 | |
| | 50 | This defines which files are considered to be {{{trac_var_t}}} and |
| | 51 | should be placed in {{{/etc/selinux/targeted/src/policy/file_contexts/program/trac.fc}}}. I used /var/trac to store my Trac environments, change that path |
| | 52 | as appropriate. |
| | 53 | |
| | 54 | {{{ |
| | 55 | /var/trac(/.*)? system_u:object_r:trac_var_t |
| | 56 | .*/lib/python[0-9].[0-9]/site-packages/neo_cgi.so system_u:object_r:texrel_shlib_t |
| | 57 | }}} |
| | 58 | |
| | 59 | This does the following: |
| | 60 | |
| | 61 | 1. Anything underneath {{{/var/trac}}} (including {{{/var/trac}}} itself) is of type trac_var_t |
| | 62 | 2. {{{neo_cgi.so}}} is labeled as having text relocations which is necessary for the clearsilver module to be loaded |
| | 63 | |
| | 64 | == Load the new policy == |
| | 65 | |
| | 66 | To load the new policy switch to the {{{/etc/selinux/targeted/src/policy}}} directory and run {{{make load}}} followed by {{{make install}}}. You will then need to apply the file contexts by running {{{fixfiles restore /var/trac}}} and {{{fixfiles restore /usr/lib/python2.4/site-packages/neo_cgi.so}}} (replace the path with where ever the site-packages for the version of python you are using is). |
| | 67 | |
| | 68 | == Troubleshooting == |
| | 69 | |
| | 70 | If you still have problems after doing all this there are a few things you can check. |
| | 71 | |
| | 72 | * Apache cannot access the trac environments |
| | 73 | * {{{ls -lZR /var/trac}}} will tell you the file contexts for Trac's environments. If they are not {{{system_u:object_r:trac_var_t}}} you may need to run the fixfiles bit again. |
| | 74 | * Make sure the files are readable by the apache user according to classic unix permissions, SELinux augments, not replaces this. (i.e. {{{chown -R apache /var/trac}}}) |
| | 75 | * Apache cannot access the subversion repository |
| | 76 | * This isn't covered here, the subversion documentation (the FAQ for sure) has some information on setting up subversion with SELinux for access with apache |
