Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Version 13 and Version 14 of TracWithSeLinux

Timestamp:: Oct 17, 2017, 4:49:42 PM (7 years ago)
Author:: figaro
Comment:: Further cosmetic changes

Legend:

: Unmodified
: Added
: Removed
: Modified

TracWithSeLinux

-              v13
+              v14
+= SELinux Hints =
+[[PageOutline(2-5,Contents,pullout)]]
+Trac won't work out of the box with SELinux enabled systems, since even if you chown the Trac environment to apache it still won't be allowed to write there.  These steps should help you get a working install without having to disable SELinux.  I was using the targeted policy on an installation of Fedora Core 4 Test 3, so paths might be specific to this configuration, YMMV.
+= Trac on SELinux
+Trac won't work out of the box with [wikipedia:Security-Enhanced_Linux SELinux] enabled systems. The reason is that even if you chown the Trac environment to Apache, it still won't be allowed to write there. These steps should help you get a working install without having to disable SELinux. I was using the targeted policy on an installation of Fedora Core 4 Test 3, so paths might be specific to this configuration.
 You'll also need to install the '''selinux-policy-targeted-sources''' package to make use of the rules here.
 I found that using {{{/var/www/svn}}} for the base dir for subversion repositories (as per comments in {{{/etc/httpd.d/subversion.conf}}}) eliminated the need for any extra configuration as far as access to the subversion repository goes.
+I found that using {{{/var/www/svn}}} for the base dir for Subversion repositories (as per comments in {{{/etc/httpd.d/subversion.conf}}}) eliminated the need for any extra configuration as far as access to the Subversion repository goes.
 == Configure the Trac access rules ==
+== Configure the Trac access rules
 This will set up SELinux so that the server can read and modify the trac environment.  Currently only mod_python and cgi setups are defined.
+This will set up SELinux so that the server can read and modify the Trac environment. Currently only mod_python and cgi setups are defined.
 Put the following in a new file {{{/etc/selinux/targeted/src/policy/domains/program/trac.te}}}:
 …
 # grant apache appropriate permissions
 ifdef(`apache.te', `
 # mod_python permissions
 if (trac_mod_python) {
   create_dir_file(httpd_t, trac_var_t)
+}
 # cgi permissions
 if (trac_cgi) {
   create_dir_file(httpd_sys_script_t, trac_var_t)
+}
+  # mod_python permissions
+  if (trac_mod_python) {
+    create_dir_file(httpd_t, trac_var_t)
+  }
+  # cgi permissions
+  if (trac_cgi) {
+    create_dir_file(httpd_sys_script_t, trac_var_t)
+  }
 ')
 }}}
 …
 . Declares trac_var_t as a type of file
 . Defines confiuration variable to enable various trac setups
+. Defines configuration variable to enable various Trac setups
 . Checks that the apache policy is available
 . If trac_mod_python is true, allows {{{httpd_t}}} (the apache security context) to
+. If trac_mod_python is true, then it allows {{{httpd_t}}} (the apache security context) to
     * Create, read, and write {{{trac_var_t}}} files/directories
 . If trac_cgi is true, allows {{{httpd_sys_script_t}}} (the apache cgi security context) to
+. If trac_cgi is true, then it allows {{{httpd_sys_script_t}}} (the apache cgi security context) to
     * Create, read, and write {{{trac_var_t}}} files/directories
 You can use {{{setsebool -P trac_cgi <true/false>}}} or {{{setsebool -P trac_mod_python <true/false>}}} as appropriate to enable only the configuration you are using, though there is little harm in leaving them both active.
 == Configure the Trac file contexts ==
+== Configure the Trac file contexts
+This defines which files are considered to be {{{trac_var_t}}} and
+should be placed in {{{/etc/selinux/targeted/src/policy/file_contexts/program/trac.fc}}}.  I used /var/trac to store my Trac environments, change that path
+as appropriate.
+This defines which files are considered to be {{{trac_var_t}}} and should be placed in {{{/etc/selinux/targeted/src/policy/file_contexts/program/trac.fc}}}. I used /var/trac to store my Trac environments, change that path
+as appropriate:
 {{{
 …
 You should replace {{{<python site packages dir>}}} with the output of {{{python -c 'from distutils.sysconfig import get_python_lib; print get_python_lib()'}}}
 NB. On some earlier versions of SELinux (specifically, on CentOS 4.2 or RHEL4) the texrel_shlib_t context is not valid. I replaced this with shlib_t and it seems to work OK.
+'''Note''': On some earlier versions of SELinux (specifically, on CentOS 4.2 or RHEL4) the texrel_shlib_t context is not valid. I replaced this with shlib_t and it seems to work OK.
+NB. FC4 currently has shlib_t and texrel_shlib_t as alias for lib_t.
+Also the lib_t isn't granted the rights it used to have, hence you need
+to add 'allow httpd_t self:process execheap;' to your 'local.te' file
+located in '/etc/selinux/targeted/src/policy/domains/misc'. 'make reload'
+in '/etc/selinux/targeted/src/policy' is then needed to compile and install the new policy. Failure to do so will result in clearsilver not being found when trying to log in.
+'''Note''': FC4 currently has shlib_t and texrel_shlib_t as alias for lib_t. Also the lib_t isn't granted the rights it used to have, hence you need to add 'allow httpd_t self:process execheap;' to your 'local.te' file located in '/etc/selinux/targeted/src/policy/domains/misc'. 'make reload' in '/etc/selinux/targeted/src/policy' is then needed to compile and install the new policy. Failure to do so will result in Clearsilver not being found when trying to log in.
 This does the following:
 . Anything underneath {{{/var/trac}}} (including {{{/var/trac}}} itself) is of type trac_var_t
 . {{{neo_cgi.so}}} is labeled as having text relocations which is necessary for the clearsilver module to be loaded
+. Anything underneath {{{/var/trac}}} (including {{{/var/trac}}} itself) is of type trac_var_t.
+. {{{neo_cgi.so}}} is labeled as having text relocations which is necessary for the Clearsilver module to be loaded.
+(See comment about about the texrel_shlib_t context.)
+See comment about about the texrel_shlib_t context.
 == Load the new policy ==
+== Load the new policy
 To load the new policy switch to the {{{/etc/selinux/targeted/src/policy}}} directory and run {{{make load}}} followed by {{{make install}}}.  You will then need to apply the file contexts by running {{{fixfiles restore /var/trac}}} and {{{fixfiles restore /usr/lib/python2.4/site-packages/neo_cgi.so}}} (replace the path with where ever the site-packages for the version of python you are using is).
+To load the new policy switch to the {{{/etc/selinux/targeted/src/policy}}} directory and run {{{make load}}} followed by {{{make install}}}. You will then need to apply the file contexts by running {{{fixfiles restore /var/trac}}} and {{{fixfiles restore /usr/lib/python2.4/site-packages/neo_cgi.so}}}. Replace the path with where ever the site-packages for the version of Python you are using is.
 == Troubleshooting ==
+== Troubleshooting
 If you still have problems after doing all this there are a few things you can check.
+If you still have problems after doing all this, then there are a few things you can check:
   * Apache cannot access the trac environments
     * {{{ls -lZR /var/trac}}} will tell you the file contexts for Trac's environments.  If they are not {{{system_u:object_r:trac_var_t}}} you may need to run the fixfiles bit again.
     * Make sure the files are readable by the apache user according to classic unix permissions, SELinux augments, not replaces this. (i.e. {{{chown -R apache /var/trac}}})
   * Apache cannot access the subversion repository
     * This isn't covered here, the subversion documentation (the FAQ for sure) has some information on setting up subversion with SELinux for access with apache
+  * Apache cannot access the Trac environments:
+    * {{{ls -lZR /var/trac}}} will tell you the file contexts for Trac's environments. If they are not {{{system_u:object_r:trac_var_t}}} you may need to run the fixfiles bit again.
+    * Make sure the files are readable by the Apache user according to classic unix permissions, SELinux augments, not replaces this, ie {{{chown -R apache /var/trac}}}.
+  * Apache cannot access the subversion repository:
+    * This isn't covered here, the subversion documentation (the FAQ for sure) has some information on setting up subversion with SELinux for access with Apache.
+ === alternate method ===
+There has also been some luck just by simply changing the security context using chcon to match that of apache for trac project location such as
+ # chcon -R -t httpd_sys_content_t /home/www/trac/
+=== Alternative method 1
+ === alternate method 2 ===
+There has also been some luck just by simply changing the security context using `chcon` to match that of Apache for the Trac project location such as:
+{{{#!sh
+# chcon -R -t httpd_sys_content_t /home/www/trac/
+}}}
+Newer versions of Fedora introduce a new type, httpd_sys_script_rw_t.
+To make it work with trac for every project you must do:
+{{{
 #!sh
+=== Alternative method 2
+Newer versions of Fedora introduce a new type `httpd_sys_script_rw_t`. To make it work with Trac for every project you must do:
+{{{#!sh
 chcon -R -t httpd_sys_script_rw_t /var/www/trac/project/db
 }}}
 == CentOS 6.3 ==
+== CentOS 6.3
 I found the following set of commands helpful for CentOS 6.3, using PostgreSQL as the database:
+{{{
+#!sh
+{{{#!sh
 chcon -R -t httpd_sys_content_t /var/trac/official
 chcon -R -t httpd_sys_script_rw_t /var/trac/official