[[PageOutline(2-5,Contents,pullout)]]

= Trac on SELinux

Trac won't work out of the box with [wikipedia:Security-Enhanced_Linux SELinux] enabled systems. The reason is that even if you chown the Trac environment to Apache, it still won't be allowed to write there. These steps should help you get a working install without having to disable SELinux. I was using the targeted policy on an installation of Fedora Core 4 Test 3, so paths might be specific to this configuration.

You'll also need to install the '''selinux-policy-targeted-sources''' package to make use of the rules here.

I found that using {{{/var/www/svn}}} for the base dir for Subversion repositories (as per comments in {{{/etc/httpd.d/subversion.conf}}}) eliminated the need for any extra configuration as far as access to the Subversion repository goes.

== Configure the Trac access rules

This will set up SELinux so that the server can read and modify the Trac environment. Currently only mod_python and cgi setups are defined.

Put the following in a new file {{{/etc/selinux/targeted/src/policy/domains/program/trac.te}}}:

{{{
# trac domains
type trac_var_t, file_type, sysadmfile;

# enable trac under mod_python
bool trac_mod_python true;

# enable trac as cgi
bool trac_cgi true;

# grant apache appropriate permissions
ifdef(`apache.te', `
  # mod_python permissions
  if (trac_mod_python) {
    create_dir_file(httpd_t, trac_var_t)
  }
  # cgi permissions
  if (trac_cgi) {
    create_dir_file(httpd_sys_script_t, trac_var_t)
  }
')
}}}

This configuration

 1. Declares trac_var_t as a type of file
 1. Defines configuration variable to enable various Trac setups
 1. Checks that the apache policy is available
 1. If trac_mod_python is true, then it allows {{{httpd_t}}} (the apache security context) to
    * Create, read, and write {{{trac_var_t}}} files/directories
 1. If trac_cgi is true, then it allows {{{httpd_sys_script_t}}} (the apache cgi security context) to 
    * Create, read, and write {{{trac_var_t}}} files/directories

You can use {{{setsebool -P trac_cgi <true/false>}}} or {{{setsebool -P trac_mod_python <true/false>}}} as appropriate to enable only the configuration you are using, though there is little harm in leaving them both active.

== Configure the Trac file contexts

This defines which files are considered to be {{{trac_var_t}}} and should be placed in {{{/etc/selinux/targeted/src/policy/file_contexts/program/trac.fc}}}. I used /var/trac to store my Trac environments, change that path
as appropriate:

{{{
/var/trac(/.*)?                 system_u:object_r:trac_var_t
<python site packages dir>/neo_cgi.so       system_u:object_r:texrel_shlib_t
}}}

You should replace {{{<python site packages dir>}}} with the output of {{{python -c 'from distutils.sysconfig import get_python_lib; print get_python_lib()'}}}

'''Note''': On some earlier versions of SELinux (specifically, on CentOS 4.2 or RHEL4) the texrel_shlib_t context is not valid. I replaced this with shlib_t and it seems to work OK.

'''Note''': FC4 currently has shlib_t and texrel_shlib_t as alias for lib_t. Also the lib_t isn't granted the rights it used to have, hence you need to add 'allow httpd_t self:process execheap;' to your 'local.te' file located in '/etc/selinux/targeted/src/policy/domains/misc'. 'make reload' in '/etc/selinux/targeted/src/policy' is then needed to compile and install the new policy. Failure to do so will result in Clearsilver not being found when trying to log in.

This does the following:

 1. Anything underneath {{{/var/trac}}} (including {{{/var/trac}}} itself) is of type trac_var_t.
 1. {{{neo_cgi.so}}} is labeled as having text relocations which is necessary for the Clearsilver module to be loaded.

See comment about about the texrel_shlib_t context.

== Load the new policy

To load the new policy switch to the {{{/etc/selinux/targeted/src/policy}}} directory and run {{{make load}}} followed by {{{make install}}}. You will then need to apply the file contexts by running {{{fixfiles restore /var/trac}}} and {{{fixfiles restore /usr/lib/python2.4/site-packages/neo_cgi.so}}}. Replace the path with where ever the site-packages for the version of Python you are using is.

== Troubleshooting

If you still have problems after doing all this, then there are a few things you can check:

  * Apache cannot access the Trac environments:
    * {{{ls -lZR /var/trac}}} will tell you the file contexts for Trac's environments. If they are not {{{system_u:object_r:trac_var_t}}} you may need to run the fixfiles bit again.
    * Make sure the files are readable by the Apache user according to classic unix permissions, SELinux augments, not replaces this, ie {{{chown -R apache /var/trac}}}.
  * Apache cannot access the subversion repository:
    * This isn't covered here, the subversion documentation (the FAQ for sure) has some information on setting up subversion with SELinux for access with Apache.

=== Alternative method 1

There has also been some luck just by simply changing the security context using `chcon` to match that of Apache for the Trac project location such as:
{{{#!sh
# chcon -R -t httpd_sys_content_t /home/www/trac/
}}}

=== Alternative method 2

Newer versions of Fedora introduce a new type `httpd_sys_script_rw_t`. To make it work with Trac for every project you must do:
{{{#!sh
chcon -R -t httpd_sys_script_rw_t /var/www/trac/project/db
}}}

== CentOS 6.3

I found the following set of commands helpful for CentOS 6.3, using PostgreSQL as the database:

{{{#!sh
chcon -R -t httpd_sys_content_t /var/trac/official
chcon -R -t httpd_sys_script_rw_t /var/trac/official
setsebool -P httpd_can_network_connect on
}}}