SeLinux AVC Denial on svn's format file

[ViperStrike]

Hello,

I'm running into some problems, and if there's anything I don't understand, it's selinux. I've installed Trac on my system, and hooked it to my SVN repository, but I keep getting AVC Denial messages whenever the Trac site is visited, saying httpd attempted getattr and read on /svn/main/format.

I'm assuming that the problem has something to do with this:

drwxrwxr-x. root svn unconfined_u:object_r:default_t:s0 svn

I'm guessing that I need to change the selinux properties there to something like system_u:object_r:??? - not sure what the last one would be.

Nor do I understand how to go about changing those. From what I've read it seems I have to use semanage to set the properties, and then restorecon to apply them?

Any assistance is appreciated.

[jpollard]

Try "chcon -t httpd_sys_content_t <file>"

This is likely not the complete fix as I'm not familiar with Trac. If you use
a svn server then things may get simpler. But for simple file reading the
files (and directory) need to be type httpd_sys_content_t, and world read
access.

If apache is going to be updating files then it needs the files labelled
with type httpd_sys_rw_content_t, and the directories world rwx unless
they are owned by the apache login (in which case only owner rwx
needed). Any files created will be owned by apache.

As a warning, you may also need to tell SELinux how to restore labels
as necessary if a relabel is done. For testing, this isn't necessary.

The SELinux alerts will include the commands needed for everything
(including the restorecon support).

[lcamp]

If you can drop the audit log into a file, try:

Code:

audit2allow -M local < /tmp/avcs

where /tmp/avcs are the AVC Denial Audits of interest

Code:

checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

For more information
http://docs.fedoraproject.org/en-US/...l/SELinux_FAQ/

[szilagyic]

Here's some additional info and overview of SELinux:

http://www.zdnet.co.uk/blogs/the-ope...fied-10020823/

[Smoking Tux]

In addition to lcamp's post, in general it's mostly very useful to see the output of:

Code:

# audit2allow -a

So you will recieve much more info about what was accoured.

Further you can install package 'setroubleshoot', which is annoy you, every time an error accours, with a popup. Its output is similar to the cmd above.

[jpollard]

In addition to having it popup with the error, is that you can more easily
see what was done at the moment the error was detected. Since this
can be a rather sizeable distance (event wise) between action and error,
it gives a better feel for what happens.

[ViperStrike]

Thanks guys - jpollard's post is actually what ended up solving the issue. I had to go and change the type on several other files as well before it actually stopped complaining. Much obliged.