Re: selinux preventing Bugzilla on FC5

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Paul Howarth wrote:
> On Thu, 2006-05-11 at 18:21 -0500, James Garrison wrote:
>   
> > The continuing saga....
> >
> >     
> > > May 11 18:11:05 bugzilla kernel: audit(1147389065.041:16): avc:  
> > > denied  { read } for  pid=19398 comm="index.cgi" name="resolv.conf" 
> > > dev=md1 ino=1106152 scontext=user_u:system_r:httpd_sys_script_t:s0 
> > > tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> > > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:17): avc:  
> > > denied  { create } for  pid=19398 comm="index.cgi" 
> > > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
> > > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:18): avc:  
> > > denied  { create } for  pid=19398 comm="index.cgi" 
> > > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
> > > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:19): avc:  
> > > denied  { shutdown } for  pid=19398 comm="index.cgi" 
> > > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
> > >       
> > It seems like I'm just going to have to keep trying and adding new
> > allow rules, 2 or 3 at a time, until I've hit everything not allowed
> > by selinux.  Surely I'm not the first person to try to get Bugzilla
> > running on FC5?
> >
> > Is there a better way to do this than trial and error?
> >     
>
>   

The latest policy will allow semodule to read users home directories 
also.  Since this bug seems to be coming up often.
Please send me you final policy files when you have it working.

> You could put SELinux in permissive mode:
>
> # setenforce 0
>
> then run bugzilla and get all of the SELinux denials logged, so you can
> deal with them all in one go. Then turn enforcing mode back on:
>
> # setenforce 1
>
> You might also consider looking at the bugzilla package currently making
> its way through the Fedora Extras review process:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359
>
> This probably doesn't include any SELinux support (at least not yet),
> but might be better to use from a maintainability standpoint.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
>
>
> The latest policy will allow semodule to read users home directories also.  Since this bug seems to be coming up often.
>
> Please send me you final policy files 
>
>   

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list