Objective: Run bugzilla on FC5
Problem: selinux is getting in the way
First I had to change the file context for all of Bugzilla
to httpd_sys_content_t, and the .cgi components to
httpd_sys_script_exec_t. Next, I get the following when
Bugzilla tries to open a tcp socket to talk to the database:
May 11 16:26:34 bugzilla kernel: audit(1147382794.700:3): avc:
denied { create } for pid=18527 comm="index.cgi"
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
No problem, according to the FAQ, just make a local module with audit2allow
and install it with semodule. Here's what actually happens:
[jhg@bugzilla ~]$ audit2allow -M local < avc.dat
Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel,
you are required to execute
semodule -i local.pp
[jhg@bugzilla ~]$ sudo semodule -i local.pp
semodule: Could not read file 'local.pp':
[jhg@bugzilla ~]$ ls local*
local.mod local.pp local.te
[jhg@bugzilla ~]$
The problem is that semodule is not being allowed to read local.pp
by selinux itself:
May 11 17:36:53 bugzilla kernel: audit(1147387013.477:14): avc:
denied { search } for pid=19191 comm="semodule" name="root" dev=md1
ino=942849 scontext=user_u:system_r:semanage_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
I've tried various combinations of sudo vs being logged on
as root.
So I'm stuck. At this point I'm inclined to switch back to
non-enforcing mode and be done with it. Is it supposed to
be this hard to configure?
--
James Garrison Athens Group, Inc.
mailto:jhg@xxxxxxxxxxxxxxx 5608 Parkcrest Dr
http://www.athensgroup.com Austin, TX 78731
SKYPE callto:jhg-athensgroup (512) 345-0600 x150
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
