Question

I'm stumped.

I have installed TWiki on Fedora Core 3 following the instructions, but the testenv script reports that the directories /var/www/twiki/pub and /var/www/twiki/data are not writeable by user apache.

I have double, triple, and quadruple checked the permissions on the directories and checked the paths set in TWiki.cfg.

In addition when I try to access http://njohnsn.com/twiki/bin/view I get the following error message:

Template file view.tmpl not found or template directory /var/www/twiki/templates not found.

Check the $templateDir variable in TWiki.cfg. 

I didn't have these issues when running under Mandrake 9.2. Could this be a Fedora Issue ?

Environment

-- NeilJohnson - 05 Dec 2004

Answer

Could it be that you have the SE Linux feature of FC3 enabled? This is turned on by default in FC3 whereas it was not enabled in FC2, and can radically change what's allowed to be done without changing any Unix/Linux permissions on files. See this article for some details, and then have a chat to the FC3 people on IRC/email perhaps.

Useful link on Apache and SELinux in FC3: http://thinkmuch.com/blog/archives/2004/11/17/apache-httpd-403-errors-selinux-in-fc3/

-- RichardDonkin - 08 Dec 2004

RichardDonkin is correct, it is an issue with the SE Linux configuration issue on Fedora Core 3.

FC2 did not implement SE Linux by default, FC3 does for several network applications (httpd, dhcpd, named, etc.).

Welcome to a brave new world and prepare to forget everything you know about the Unix permssions model.

Create the file /etc/selinux/targeted/src/policy/domains/misc/local.te (You may have to install the source package for the FC3 SE Linux targeted policy)

It should contain the following:

allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;
allow httpd_sys_script_t ls_exec_t:file getattr;
allow httpd_sys_script_t sbin_t:file getattr;
allow httpd_sys_script_t tmp_t:lnk_file read;

Then you need to cd to /etc/selinux/targeted/src/policy and run make reload . This will install the SE Linux policies in the file above so TWiki can work.

Install TWiki per the instructions in the documentation.

Then you will need perfom the following chcon commands (in order) to set the selinux permissions on the twiki files and directories.

chcon -R -u system_u -t httpd_sys_content_t /var/www/twiki
chcon -R -t httpd_sys_script_exec_t /var/www/twiki/bin /var/www/twiki/templates /var/www/twiki/lib
chcon -R -t httpd_sys_script_rw_t /var/www/twiki/data /var/www/twiki/pub

I need to do more testing (user authentication), but this should get you started.

What a pain !

-- NeilJohnson - 10 Dec 2004

Thanks for the update - does sound like a pain, but presumably the result is a significantly more secure server.

-- RichardDonkin - 10 Dec 2004

I have been experiencing a similar problem with RedHat Enterprise Linux 4 (RHEL4). The only difference is that although SELinux does output a lot of warnings, it doesn't seem to be breaking anything in TWiki.

I did follow the instructions provided by NeilJohnson above and they helped eliminate most of the warnings, but not all. I'm still getting warnings from oops and login scripts.

I'll try to find the problem and I'll post a note if I have progress.

-- RicardoScachettiPereira - 20 Apr 2006

I had some progress today twicking my RHEL4 SELinux policies and got rid of all SELinux warning caused by both login and oops scripts. I just added the following line to the local.te file and ran make reload:

allow httpd_sys_script_t httpd_tmp_t:file { r_file_perms unlink write };

Apparently, this line gives Apache CGI scripts permission to read, write, and delete files on /tmp directory.

The whole problem was that oops script was trying to read from, write to and delete temporary cgi session files stored on /tmp.

I'm just not sure whether this change is too permissive.

-- RicardoScachettiPereira - 21 Apr 2006