Re: AVC denial with bugzilla from epel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tony Molloy wrote:
Hi,

I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm getting the following AVC denied message:

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
SELinux prevented httpd reading and writing access to http files. Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off,  This requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these context.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers toi one of "sys", "user" or "staff" or potentially other script
    types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information
Source Context                root:system_r:httpd_bugzilla_script_t
Target Context                root:object_r:httpd_tmp_t
Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) [ file ]
Affected RPM Packages Policy RPM selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     richmond.csis.ul.ie
Platform Linux richmond.csis.ul.ie 2.6.18-53.1.4.el5 #1 SMP
                              Fri Nov 30 00:45:16 EST 2007 i686 i686
Alert Count                   21
Line Numbers

Raw Audit Messages
avc: denied { read, write } for comm="index.cgi" dev=sda6 egid=48 euid=48
exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 path=2F746D702F2E4E5
350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12090
scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48

This seems to a denial to r/w a file in /tmp

I can generate a local policy to allow this access with audit2allow but what is the correct way to handle this.

The answer was within the report itself

#  setsebool -P httpd_unified=1

Rahul

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux