Edgewall Software

Changes between Version 13 and Version 14 of TracWithSeLinux


Ignore:
Timestamp:
Oct 17, 2017, 4:49:42 PM (2 years ago)
Author:
figaro
Comment:

Further cosmetic changes

Legend:

Unmodified
Added
Removed
Modified
  • TracWithSeLinux

    v13 v14  
    1 = SELinux Hints =
     1[[PageOutline(2-5,Contents,pullout)]]
    22
    3 Trac won't work out of the box with SELinux enabled systems, since even if you chown the Trac environment to apache it still won't be allowed to write there.  These steps should help you get a working install without having to disable SELinux.  I was using the targeted policy on an installation of Fedora Core 4 Test 3, so paths might be specific to this configuration, YMMV.
     3= Trac on SELinux
     4
     5Trac won't work out of the box with [wikipedia:Security-Enhanced_Linux SELinux] enabled systems. The reason is that even if you chown the Trac environment to Apache, it still won't be allowed to write there. These steps should help you get a working install without having to disable SELinux. I was using the targeted policy on an installation of Fedora Core 4 Test 3, so paths might be specific to this configuration.
    46
    57You'll also need to install the '''selinux-policy-targeted-sources''' package to make use of the rules here.
    68
    7 I found that using {{{/var/www/svn}}} for the base dir for subversion repositories (as per comments in {{{/etc/httpd.d/subversion.conf}}}) eliminated the need for any extra configuration as far as access to the subversion repository goes.
     9I found that using {{{/var/www/svn}}} for the base dir for Subversion repositories (as per comments in {{{/etc/httpd.d/subversion.conf}}}) eliminated the need for any extra configuration as far as access to the Subversion repository goes.
    810
    9 == Configure the Trac access rules ==
     11== Configure the Trac access rules
    1012
    11 This will set up SELinux so that the server can read and modify the trac environment. Currently only mod_python and cgi setups are defined.
     13This will set up SELinux so that the server can read and modify the Trac environment. Currently only mod_python and cgi setups are defined.
    1214
    1315Put the following in a new file {{{/etc/selinux/targeted/src/policy/domains/program/trac.te}}}:
     
    2527# grant apache appropriate permissions
    2628ifdef(`apache.te', `
    27 # mod_python permissions
    28 if (trac_mod_python) {
    29   create_dir_file(httpd_t, trac_var_t)
    30 }
    31 # cgi permissions
    32 if (trac_cgi) {
    33   create_dir_file(httpd_sys_script_t, trac_var_t)
    34 }
     29  # mod_python permissions
     30  if (trac_mod_python) {
     31    create_dir_file(httpd_t, trac_var_t)
     32  }
     33  # cgi permissions
     34  if (trac_cgi) {
     35    create_dir_file(httpd_sys_script_t, trac_var_t)
     36  }
    3537')
    3638}}}
     
    3941
    4042 1. Declares trac_var_t as a type of file
    41  1. Defines confiuration variable to enable various trac setups
     43 1. Defines configuration variable to enable various Trac setups
    4244 1. Checks that the apache policy is available
    43  1. If trac_mod_python is true, allows {{{httpd_t}}} (the apache security context) to
     45 1. If trac_mod_python is true, then it allows {{{httpd_t}}} (the apache security context) to
    4446    * Create, read, and write {{{trac_var_t}}} files/directories
    45  1. If trac_cgi is true, allows {{{httpd_sys_script_t}}} (the apache cgi security context) to
     47 1. If trac_cgi is true, then it allows {{{httpd_sys_script_t}}} (the apache cgi security context) to
    4648    * Create, read, and write {{{trac_var_t}}} files/directories
    4749
    4850You can use {{{setsebool -P trac_cgi <true/false>}}} or {{{setsebool -P trac_mod_python <true/false>}}} as appropriate to enable only the configuration you are using, though there is little harm in leaving them both active.
    4951
    50 == Configure the Trac file contexts ==
     52== Configure the Trac file contexts
    5153
    52 This defines which files are considered to be {{{trac_var_t}}} and
    53 should be placed in {{{/etc/selinux/targeted/src/policy/file_contexts/program/trac.fc}}}.  I used /var/trac to store my Trac environments, change that path
    54 as appropriate. 
     54This defines which files are considered to be {{{trac_var_t}}} and should be placed in {{{/etc/selinux/targeted/src/policy/file_contexts/program/trac.fc}}}. I used /var/trac to store my Trac environments, change that path
     55as appropriate:
    5556
    5657{{{
     
    6162You should replace {{{<python site packages dir>}}} with the output of {{{python -c 'from distutils.sysconfig import get_python_lib; print get_python_lib()'}}}
    6263
    63 NB. On some earlier versions of SELinux (specifically, on CentOS 4.2 or RHEL4) the texrel_shlib_t context is not valid. I replaced this with shlib_t and it seems to work OK.
     64'''Note''': On some earlier versions of SELinux (specifically, on CentOS 4.2 or RHEL4) the texrel_shlib_t context is not valid. I replaced this with shlib_t and it seems to work OK.
    6465
    65 NB. FC4 currently has shlib_t and texrel_shlib_t as alias for lib_t.
    66 Also the lib_t isn't granted the rights it used to have, hence you need
    67 to add 'allow httpd_t self:process execheap;' to your 'local.te' file
    68 located in '/etc/selinux/targeted/src/policy/domains/misc'. 'make reload'
    69 in '/etc/selinux/targeted/src/policy' is then needed to compile and install the new policy. Failure to do so will result in clearsilver not being found when trying to log in.
     66'''Note''': FC4 currently has shlib_t and texrel_shlib_t as alias for lib_t. Also the lib_t isn't granted the rights it used to have, hence you need to add 'allow httpd_t self:process execheap;' to your 'local.te' file located in '/etc/selinux/targeted/src/policy/domains/misc'. 'make reload' in '/etc/selinux/targeted/src/policy' is then needed to compile and install the new policy. Failure to do so will result in Clearsilver not being found when trying to log in.
    7067
    7168This does the following:
    7269
    73  1. Anything underneath {{{/var/trac}}} (including {{{/var/trac}}} itself) is of type trac_var_t
    74  2. {{{neo_cgi.so}}} is labeled as having text relocations which is necessary for the clearsilver module to be loaded
     70 1. Anything underneath {{{/var/trac}}} (including {{{/var/trac}}} itself) is of type trac_var_t.
     71 1. {{{neo_cgi.so}}} is labeled as having text relocations which is necessary for the Clearsilver module to be loaded.
    7572
    76 (See comment about about the texrel_shlib_t context.)
     73See comment about about the texrel_shlib_t context.
    7774
    78 == Load the new policy ==
     75== Load the new policy
    7976
    80 To load the new policy switch to the {{{/etc/selinux/targeted/src/policy}}} directory and run {{{make load}}} followed by {{{make install}}}.  You will then need to apply the file contexts by running {{{fixfiles restore /var/trac}}} and {{{fixfiles restore /usr/lib/python2.4/site-packages/neo_cgi.so}}} (replace the path with where ever the site-packages for the version of python you are using is).
     77To load the new policy switch to the {{{/etc/selinux/targeted/src/policy}}} directory and run {{{make load}}} followed by {{{make install}}}. You will then need to apply the file contexts by running {{{fixfiles restore /var/trac}}} and {{{fixfiles restore /usr/lib/python2.4/site-packages/neo_cgi.so}}}. Replace the path with where ever the site-packages for the version of Python you are using is.
    8178
    82 == Troubleshooting ==
     79== Troubleshooting
    8380
    84 If you still have problems after doing all this there are a few things you can check.
     81If you still have problems after doing all this, then there are a few things you can check:
    8582
    86   * Apache cannot access the trac environments
    87     * {{{ls -lZR /var/trac}}} will tell you the file contexts for Trac's environments.  If they are not {{{system_u:object_r:trac_var_t}}} you may need to run the fixfiles bit again.
    88     * Make sure the files are readable by the apache user according to classic unix permissions, SELinux augments, not replaces this. (i.e. {{{chown -R apache /var/trac}}})
    89   * Apache cannot access the subversion repository
    90     * This isn't covered here, the subversion documentation (the FAQ for sure) has some information on setting up subversion with SELinux for access with apache
     83  * Apache cannot access the Trac environments:
     84    * {{{ls -lZR /var/trac}}} will tell you the file contexts for Trac's environments. If they are not {{{system_u:object_r:trac_var_t}}} you may need to run the fixfiles bit again.
     85    * Make sure the files are readable by the Apache user according to classic unix permissions, SELinux augments, not replaces this, ie {{{chown -R apache /var/trac}}}.
     86  * Apache cannot access the subversion repository:
     87    * This isn't covered here, the subversion documentation (the FAQ for sure) has some information on setting up subversion with SELinux for access with Apache.
    9188
    92  === alternate method ===
    93 There has also been some luck just by simply changing the security context using chcon to match that of apache for trac project location such as
    94  # chcon -R -t httpd_sys_content_t /home/www/trac/
     89=== Alternative method 1
    9590
    96  === alternate method 2 ===
     91There has also been some luck just by simply changing the security context using `chcon` to match that of Apache for the Trac project location such as:
     92{{{#!sh
     93# chcon -R -t httpd_sys_content_t /home/www/trac/
     94}}}
    9795
    98 Newer versions of Fedora introduce a new type, httpd_sys_script_rw_t.
    99 To make it work with trac for every project you must do:
    100 {{{
    101 #!sh
     96=== Alternative method 2
     97
     98Newer versions of Fedora introduce a new type `httpd_sys_script_rw_t`. To make it work with Trac for every project you must do:
     99{{{#!sh
    102100chcon -R -t httpd_sys_script_rw_t /var/www/trac/project/db
    103101}}}
    104102
    105 == CentOS 6.3 ==
     103== CentOS 6.3
    106104
    107105I found the following set of commands helpful for CentOS 6.3, using PostgreSQL as the database:
    108106
    109 {{{
    110 #!sh
     107{{{#!sh
    111108chcon -R -t httpd_sys_content_t /var/trac/official
    112109chcon -R -t httpd_sys_script_rw_t /var/trac/official