Categorized | News

Aaaaaaaaaaaargh SELinux!

Posted on 06 January 2009 by Demian Turner

When it comes to installing Trac it’s not something I usually worry about, I must have installed it from version 0.9 to the latest around 20 times and on at least most of the flavours of linux, OS X and recently Windows.  It used to be tough to setup but the package has been great improved over the years.

And what great software, by the way, I can’t say enough good things about Trac, I’ve been running all my projects on it for around the last 4 years.

But I recently got a new dedicated box, running Fedora Core 9 32 bit, and I’ve already installed Trac twice on this OS, it’s one of the smoothest platform/software combos.  However something went wrong, with the app complaining about requiring root permissions to write to the DB file.  Considering I setup Trac to run with the mod_python module in Apache, this seemed a little strange.  Stranger still was that Google returned absolutely ZERO results for the error message I was getting:

The user root requires read _and_ write permission to the database file 

The log file set to DEBUG also failed to shed any light.  I tried giving root every possible permission to the DB file and its parent folder but the above error persisted.

After banging my head against the wall it struck me that maybe my new web hoster enabled SELinux by default, something I always take special precautions to disable  right off the bat, having struggled with it in the past.

A prompt reply from RapidSwitch revealed that it was in fact enabled, and it was a quick job to disable it.

You can check the status of SELinux in the configuration file as follows:

/etc/sysconfig/selinux

You can then disable or enable it by editing this file.  The contents of the file looks like this on Fedora:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

Needless to say, problem solved!

I hope there will be at least 1 Google result now 😉

NB: I’ve recently used a pretty handy recipe HOWTO install Trac on Fedora Core 9, it needs some adaptation which I hope to post soon.

Bookmark and Share

6 Comments For This Post

  1. Rob Wilkerson Says:

    SELinux is one of the most frustrating security devices I’ve ever encountered. Like you, it’s the first thing I disable when installing a new RH-based distro where they seem to like it enabled by default. It’s been a while since my last install, but I believe my last few had an installer option to dis/enable it.

    Maybe it’s because I’ve never really understood it (I can honestly say that I have no real sense of how it does what it does), but I’ve run into far more issues with it over the years than it’s worth. Since most of my installs are internal and require no aggressive security, I have the luxury of being able to simply turn it off. :-)

  2. David Keen Says:

    Yeah SELinux is fun!

    You can get the current SELinux status (which may be different from what’s in the config file) by running ‘getenforce’.

    You can also set it like this: ‘setenforce permissive’.

    This takes effect immediately so is easier for testing than changing the config file and rebooting (although you still need to change the config file to make it permanent.)

    Also, if you want to disable SELinux, I’d recommend setting it to permissive rather than disabled. If you disable SELinux completely and then decide you want it at a later date any new files won’t have the right context and lots of stuff will break in a most exciting way. You would then need to do a complete relabel.

  3. Demian Turner Says:

    @Rob Wilkerson

    same here wrt disabling it when it comes to local Fedora/rh installs I setup from scratch, but the gotcha here was the hosting provider enabled it by default. In the 5 or so commercial boxes I’ve setup in the last 12 months, no one had ever enabled it by default. Makes we wonder if this is a Fedora precedent?

  4. Demian Turner Says:

    @David Keen

    Hey, thanks for the info Dave, as a SElinux abstainer I can honestly say this is the first thing I learn about it 😉

    I will investigate ‘permissive’ – what is complete relabling?

  5. David Keen Says:

    The only time you would really need to relabel a complete file system is when enabling SELinux for the first time or if you have disabled it and then want to enable it at a later date. It just makes sure all files have the correct SELinux context.

    The easiest way to do it is to ‘touch /.autorelabel’ and then reboot.

    I agree SELinux can be confusing but it is actually a Good Thing, if you want to spend the time learning about it. To be honest you can get a long way with just the basics. The policies in Fedora have improved a great deal since it was first introduced and a lot of things can be fixed by setting booleans. Try ‘getsebool -a’ and ‘man setsebool’.

    Also Fedora 10 has a good SELinux assistant if you are running a GUI which will pop up a warning when an access has been denied and will suggest the right command to run to fix the problem.

    But yeah, it’s often easiest to just set it to permissive and ignore it. 😉

  6. Don Champlin Says:

    One of the true tests of leadership could be the capability to recognize a difficulty before it becomes an emergency.
    I purchase when others sell.

Leave a Reply

Categories

Books

Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Facebook