RT 3.2.2, FastCGI, FC3

Hi Everyone,

I’ve been running RT 3.0.9 with FastCGI on a FC1 system happily. I’m
now moving to RT 3.2.2 with FastCGI on a FC3 system.

I’ve read the docs on the Wiki, and like on my FC1 server, want to run
RT with suexec. I believe I’ve set up Apache correctly, however, I’m
running into a selinux problem.

Here are the lines from the apache log:

[Sun Jan 30 18:53:31 2005] [notice] suEXEC mechanism enabled
(wrapper: /usr/sbin/suexec)
[Sun Jan 30 18:53:33 2005] [notice] Digest: generating secret for digest
authentication …
[Sun Jan 30 18:53:33 2005] [notice] Digest: done
[Sun Jan 30 18:53:33 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Jan 30 18:53:33 2005] [notice] LDAP: SSL support unavailable
[Sun Jan 30 18:53:33 2005] [notice] FastCGI: wrapper mechanism enabled
(wrapper: /usr/sbin/suexec)
[Sun Jan 30 18:53:33 2005] [notice] FastCGI: process manager initialized
(pid 32601)
[Sun Jan 30 18:53:33 2005] [warn] FastCGI: server
"/var/www/rt/mason_handler.fcgi" (uid 48, gid 48) started (pid 32602)
failed to open log file
fopen: Permission denied

And here’s the reason why permission was denied:

avc: denied { write } for pid=32659 exe=/usr/sbin/suexec name=httpd
dev=dm-5 ino=129038 scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:httpd_log_t tclass=dir

I’m sure I can solve this by adding the Apache user as a member of the
rt group, but I’d rather not. I’ve tried changing the security context,
but that hasn’t helped either (I’m not a selinux guru…I can work with
it on a basic level).

Does anyone else here have RT 3.2.2 running with FastCGI on a FC3
machine, preferably with suexec?

For good measure, the Virtualhost entry in httpd.conf:

Request Tracker

FastCgiWrapper /usr/sbin/suexec
FastCgiIpcDir /tmp
FastCgiServer /var/www/rt/mason_handler.fcgi -idle-timeout 300 -
processes 4 -init-start-delay 5

ServerName blah.blah.com ServerAlias blah ErrorLog /var/log/httpd/error_log_rt CustomLog /var/log/httpd/access_log_rt combined DocumentRoot /var/www/rt/share/html SuExecUserGroup root rt
 # these lines apply to Apache2+mod_fastcgi: {{{
 AddHandler fastcgi-script fcgi
 Alias /NoAuth/images/ /var/www/rt/share/html/NoAuth/images/
 ScriptAlias / /var/www/rt/mason_handler.fcgi/
 # }}}

 <Location />
         SetHandler fastcgi-script
         AddDefaultCharset UTF-8
 </Location>

Thanks in advance.

Regards,

Ranbir
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com

I’m sure I can solve this by adding the Apache user as a member of the
rt group, but I’d rather not. I’ve tried changing the security context,
but that hasn’t helped either (I’m not a selinux guru…I can work with
it on a basic level).

Replying to myself…

I tried adding the apache user to the rt group, but this just fired up
selinux again with more errors.

Do I have to tell selinux to ignore these errors or can I make RT play
nicely with selinux enabled?

I’m sure there are other people on this list that would have run into
this same problem. However, I can’t seem to recall reading any messages
to this list about selinux on a FC3 system.

Again, thanks in advance for any tips.

Regards,

Ranbir
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com

Replying to myself again:

I gave up with FastCGI. If it works with selinux, I couldn’t figure it
out. I even posted to the fedora-selinux mailing list and received help
from Colin Walters, but it didn’t get me any farther.

I ended up installing modperl2 support for RT, and everything is running
fine. There was one small hiccup with a shared library not being
loaded, but I resolved that by running “restorecon” on it:

[error] Can’t load ‘/usr/lib/perl5/5.8.5/i386-linux-thread-
multi/auto/MIME/Base64/Base64.so’

Here’s what I did to fix the above error:

[root@mothership bin]# ls -Z /usr/lib/perl5/5.8.5/i386-linux-thread-
multi/auto/MIME/Base64/Base64.so

-r-xr-xr-x root root
root:object_r:lib_t /usr/lib/perl5/5.8.5/i386-linux-thread-
multi/auto/MIME/Base64/Base64.so

[root@mothership bin]# restorecon /usr/lib/perl5/5.8.5/i386-linux-
thread-multi/auto/MIME/Base64/Base64.so

[root@mothership bin]# ls -Z /usr/lib/perl5/5.8.5/i386-linux-thread-
multi/auto/MIME/Base64/Base64.so

-r-xr-xr-x root root
system_u:object_r:shlib_t /usr/lib/perl5/5.8.5/i386-linux-thread-
multi/auto/MIME/Base64/Base64.so

HTH helps someone in the future…

Regards,

Ranbir
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com