Xapian discuss - Nov 2013 - SELinux and search permissions

I am running xapian and omega  on a Centos 6.4 SELinux enabled box.

When I do a search I get the following message:
Exception: Couldn't read format template `query' (Permission denied)

If I disable SELinux the search executes correctly.
I have enabled the httpd_enable_cgi boolean but that still does not allow the
permissions needed.

What else do I need to configure in SELinux for xapian and omega to work?

Thanks

On Thu, Nov 21, 2013 at 05:38:57PM +0000, Marc Fromm
wrote:
> I am running xapian and omega  on a Centos 6.4 SELinux enabled box.
> 
> When I do a search I get the following message:
> Exception: Couldn't read format template `query' (Permission
denied)
> 
> If I disable SELinux the search executes correctly.
> I have enabled the httpd_enable_cgi boolean but that still does not
> allow the permissions needed.
> 
> What else do I need to configure in SELinux for xapian and omega to work?
The omega CGI program needs to be able to read its template files,
which are probably being read from this directory:

/var/lib/omega/templates

If you run it under strace you can see the filenames it tries to open.

I don't know enough about SELinux to say exactly how you'd configure
that to be allowed though.  If you work out the required runes, please
add them to the wiki, or report back here.

Cheers,
    Olly

The fix for me was to change the security context from "var_lib_t" to
"httpd_sys_content_t" to allow apache access t the templates and
default directories.

semanage fcontext -a -t httpd_sys_content_t
"/var/lib/omega/templates(/.*)?"
restorecon -R -v /var/lib/omega/templates

semanage fcontext -a -t httpd_sys_content_t 
"/var/lib/omega/data/default(/.*)?"
restorecon -R -v /var/lib/omega/data/default


-----Original Message-----
From: Olly Betts [mailto:olly at survex.com] 
Sent: Monday, November 25, 2013 10:14 PM
To: Marc Fromm
Cc: xapian-discuss at lists.xapian.org
Subject: Re: [Xapian-discuss] SELinux and search permissions

On Thu, Nov 21, 2013 at 05:38:57PM +0000, Marc Fromm
wrote:
> I am running xapian and omega  on a Centos 6.4 SELinux enabled box.
> 
> When I do a search I get the following message:
> Exception: Couldn't read format template `query' (Permission
denied)
> 
> If I disable SELinux the search executes correctly.
> I have enabled the httpd_enable_cgi boolean but that still does not 
> allow the permissions needed.
> 
> What else do I need to configure in SELinux for xapian and omega to work?
The omega CGI program needs to be able to read its template files, which are
probably being read from this directory:

/var/lib/omega/templates

If you run it under strace you can see the filenames it tries to open.

I don't know enough about SELinux to say exactly how you'd configure
that to be allowed though.  If you work out the required runes, please add them
to the wiki, or report back here.

Cheers,
    Olly