If you're not seeing any errors in your audit logs, you can temporarily disable the don't audit rules by executing:

# semodule -DB

It may also be nice to allow Apache to run in permissive mode while you're trying to troubleshoot.  This would replace any use of setenforce 0.  Just remember to put it back when you're done troubleshooting

# semanage permissive -a httpd_t


When you've done that, share any AVCs that you get.

# ausearch -m avc,user_avc -ts recent

On Tue, Sep 22, 2015 at 12:51 PM Matthew Saltzman <mjs@clemson.edu> wrote:
Subgit (www.subgit.com) is a system for reflecting Subversion
repository changes to a Git mirror or vice versa. In the former case,
it uses a pre-commit script to spawn a Java daemon that monitors and
mirrors the updates.

When run in enforcing mode, the daemon fails to start and the commit
fails when the spawn attempt times out. No error appears in the audit
log.

When run in permissive mode, the spawn succeeds d the commit works. The
program that is supposed to spawn the daemon has context

    system_u:object_r:httpd_sys_script_exec_t:s0

The directory where the PID file is supposed to write its lock file is

The error reported by Subgit on failure is:

    Failed to launch background translation process: timeout waiting
    for pid file '/var/www/svn/FlopC++/subgit/daemon.pid

(FlopC++ is the repository name).

What policy change do I need to implement to make this work in
enforcing mode? Or how can I debug the process and what information
should I bring to the list for help?

Thanks in advance.

--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Jeremy Young