I'm going through the rather painful process of installing Bugzilla on an SELinux FC5 box. I'm almost there now, I think, however I'm trying to add a local policy to SELinux for allowing Apache to execute .cgi scripts, and have hit a brick wall.
When I try to hit the Bugzilla page from a browser on the network I get this:
tail -f /var/log/messages output:
kernel: audit(1167911234.610:20): avc: denied { execute_no_trans } for pid=28833 comm="httpd" name=" index.cgi" dev=dm-0 ino=34931972 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
So, following the guide in the fedora docs Here I generated a local.te using audit2allow -m local -l -i /var/log/messages > local.te , compiled it using checkmodule -M -m -o local.mod local.te, packaged it using semodule_package -o local.pp -m local.mod, then attempted to add it to the current running policy using semodule -i local.pp . This point is where I get stuck. i'm seeing this output when I execute the command:
tail -f /var/log/messages output:
Jan 4 11:56:13 svn kernel: security: 3 users, 6 roles, 1481 types, 152 bools, 1 sens, 256 cats
Jan 4 11:56:13 svn kernel: security: 58 classes, 43474 rules
Jan 4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=7) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
Jan 4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc: 0 AV entries and 0/512 buckets used, longest chain length 0 : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
Jan 4 11:56:13 svn kernel: audit( 1167911773.820:21): policy loaded auid=4294967295
After looking around, I saw on this mailing list that this might be a bug in SELinux-Policy that was fixed in version 2.3.14-3. Yum doesn't seem to know about this newer version. Am I barking up the wrong tree?
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
