I had some issues installing trac onto RHEL ES 4 this afternoon. Chalk it up to being a dumbass, or whatever, but here are the things I ended up doing.
Manually installed sqllite from source, since the -devel rpm doesn’t exist for rhes4 yet on yum.
* had to manually copy files because there is no installer script once built.
* sqllite.h to /usr/include/sqllite/, where pysqlite expects it
* binaries to /usr/bin/
* dynamic libraries from some hidden .lib directory in the build dir to /usr/lib/
Symbolic link from /usr/local/bin/python to /usr/bin/python, for some stupid installation script.
pysqlite’s link from the trac homepage goes to a completely skeleton wiki. Google for it and go to the sourceforge page instead to download the proper version.
The worst offender was that I created my trac environment outside of the already-configured DocumentRoot of apache, and COMPLETELY FORGOT ABOUT SELinux. BAD IDEA.
Of course, RHEL 4 comes with SELinux enabled if you ask for it. Part of what it does is define special contexts on files and directories by default. For example, it will set up special context xattrs on your /var/www/html directory, where your htdocs lie by default.
Of course, if you use trac-admin to create a trac env outside of the accessible directories, OR if you symbolic link to an accessible directory, you can run into issues. That’s because SELinux looks at the path the ‘apache’ user is trying to access and checks the extra context attributes after the normal Linux permissions.
It fails with a bad “[Error 13] Permission denied”, and has a nice stack trace about how it can’t access ……./trac/VERSION. What trac tries to do at that point in the code is check the VERSION file to make sure it’s the right version before proceeding. If you set the TRAC_ENV var in httpd.conf to a path that isn’t accessible to the right http server context like /var/www/html is, then apache will fail with those errors, and you’ll see the result in /var/log/messages.
If you need to change the context of a directory or file, you can use the chcon command, that works similarly to chown, with special flags for each type of xattr used by SELinux. Just read the man chcon for more.
It was nice to make this all work. Also, symbolic links may not work for your DocumentRoot, because of all this business. Remember to check your /var/log/messages, which is where SELinux denials appear by default.
And don’t be dumb like me, and completely forget that you have a new security layer in RHEL ES 4!
) and the venerable eatlunch.at.
(more…)