Re: AVC denial with bugzilla from epel

[Paul Howarth <paul@xxxxxxxxxxxx>]

Rahul Sundaram wrote:
> Tony Molloy wrote:
> > Hi,
> >
> > I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm 
> > getting the following AVC denied message:
> >
> > Summary
> >     SELinux prevented httpd reading and writing access to http files.
> >
> > Detailed Description
> >     SELinux prevented httpd reading and writing access to http files. 
> > Ordinarily
> >     httpd is allowed full access to all files labeled with http file 
> > context.
> >     This machine has a tightened security policy with the 
> > httpd_unified turned
> >     off,  This requires explicit labeling of all files.  If a file is 
> > a cgi
> >     script it needs to be labeled with httpd_TYPE_script_exec_t in 
> > order to be
> >     executed.  If it is read only content, it needs to be labeled
> >     httpd_TYPE_content_t, it is writable content. it needs to be labeled
> >     httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the 
> > chcon
> >     command to change these context.  Please refer to the man page "man
> >     httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 
> > "TYPE"
> >     refers toi one of "sys", "user" or "staff" or potentially other 
> > script
> >     types.
> >
> > Allowing Access
> >     Changing the "httpd_unified" boolean to true will allow this access:
> >     "setsebool -P httpd_unified=1"
> >
> >     The following command will allow this access:
> >     setsebool -P httpd_unified=1
> >
> > Additional Information       
> > Source Context                root:system_r:httpd_bugzilla_script_t
> > Target Context                root:object_r:httpd_tmp_t
> > Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) 
> > [ file ]
> > Affected RPM Packages         Policy RPM                    
> > selinux-policy-2.4.6-106.el5_1.3
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Enforcing
> > Plugin Name                   plugins.httpd_unified
> > Host Name                     richmond.csis.ul.ie
> > Platform                      Linux richmond.csis.ul.ie 
> > 2.6.18-53.1.4.el5 #1 SMP
> >                               Fri Nov 30 00:45:16 EST 2007 i686 i686
> > Alert Count                   21
> > Line Numbers                 
> >
> > Raw Audit Messages           
> > avc: denied { read, write } for comm="index.cgi" dev=sda6 egid=48 euid=48
> > exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 
> > path=2F746D702F2E4E5
> > 350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12090
> > scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
> > subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
> > tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
> >
> > This seems to a denial to r/w a file in /tmp
> >
> > I can generate a local policy to allow this access with audit2allow 
> > but what is the correct way to handle this.
>
> The answer was within the report itself
>
> #  setsebool -P httpd_unified=1

What's probably needed is for the bugzilla policy to have:

allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms;
allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms;
files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t,{ 
dir file lnk_file sock_file fifo_file })

This is in line with existing policy for httpd_sys_script_t I believe 
(and what I'm using in the fastcgi policy in mod_fcgid-selinux). It 
should be possible to use bugzilla without having httpd_unified set.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list