If you're not seeing any errors in your audit logs, you can temporarily disable the don't audit rules by executing:
# semodule -DB
It may also be nice to allow Apache to run in permissive mode while you're trying to troubleshoot. This would replace any use of setenforce 0. Just remember to put it back when you're done troubleshooting
# semanage permissive -a httpd_t
When you've done that, share any AVCs that you get.
# ausearch -m avc,user_avc -ts recent
On Tue, Sep 22, 2015 at 12:51 PM Matthew Saltzman mjs@clemson.edu wrote:
Subgit (www.subgit.com) is a system for reflecting Subversion repository changes to a Git mirror or vice versa. In the former case, it uses a pre-commit script to spawn a Java daemon that monitors and mirrors the updates.
When run in enforcing mode, the daemon fails to start and the commit fails when the spawn attempt times out. No error appears in the audit log.
When run in permissive mode, the spawn succeeds d the commit works. The program that is supposed to spawn the daemon has context
system_u:object_r:httpd_sys_script_exec_t:s0
The directory where the PID file is supposed to write its lock file is
The error reported by Subgit on failure is:
Failed to launch background translation process: timeout waiting for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
(FlopC++ is the repository name).
What policy change do I need to implement to make this work in enforcing mode? Or how can I debug the process and what information should I bring to the list for help?
Thanks in advance.
-- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux