Re: AVC denial with bugzilla from epel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> Rahul Sundaram wrote:
>> Tony Molloy wrote:
>>> Hi,
>>>
>>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm
>>> getting the following AVC denied message:
>>>
>>> Summary
>>>     SELinux prevented httpd reading and writing access to http files.
>>>
>>> Detailed Description
>>>     SELinux prevented httpd reading and writing access to http files.
>>> Ordinarily
>>>     httpd is allowed full access to all files labeled with http file
>>> context.
>>>     This machine has a tightened security policy with the
>>> httpd_unified turned
>>>     off,  This requires explicit labeling of all files.  If a file is
>>> a cgi
>>>     script it needs to be labeled with httpd_TYPE_script_exec_t in
>>> order to be
>>>     executed.  If it is read only content, it needs to be labeled
>>>     httpd_TYPE_content_t, it is writable content. it needs to be labeled
>>>     httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the
>>> chcon
>>>     command to change these context.  Please refer to the man page "man
>>>     httpd_selinux" or
>>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
>>>     refers toi one of "sys", "user" or "staff" or potentially other
>>> script
>>>     types.
>>>
>>> Allowing Access
>>>     Changing the "httpd_unified" boolean to true will allow this access:
>>>     "setsebool -P httpd_unified=1"
>>>
>>>     The following command will allow this access:
>>>     setsebool -P httpd_unified=1
>>>
>>> Additional Information       Source Context               
>>> root:system_r:httpd_bugzilla_script_t
>>> Target Context                root:object_r:httpd_tmp_t
>>> Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0 (deleted)
>>> [ file ]
>>> Affected RPM Packages         Policy RPM                   
>>> selinux-policy-2.4.6-106.el5_1.3
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> MLS Enabled                   True
>>> Enforcing Mode                Enforcing
>>> Plugin Name                   plugins.httpd_unified
>>> Host Name                     richmond.csis.ul.ie
>>> Platform                      Linux richmond.csis.ul.ie
>>> 2.6.18-53.1.4.el5 #1 SMP
>>>                               Fri Nov 30 00:45:16 EST 2007 i686 i686
>>> Alert Count                   21
>>> Line Numbers                
>>> Raw Audit Messages           avc: denied { read, write } for
>>> comm="index.cgi" dev=sda6 egid=48 euid=48
>>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0
>>> path=2F746D702F2E4E5
>>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429
>>> pid=12090
>>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
>>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
>>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
>>>
>>> This seems to a denial to r/w a file in /tmp
>>>
>>> I can generate a local policy to allow this access with audit2allow
>>> but what is the correct way to handle this.
>>
>> The answer was within the report itself
>>
>> #  setsebool -P httpd_unified=1
> 
> What's probably needed is for the bugzilla policy to have:
> 
> allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms;
> allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms;
> files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t,{
> dir file lnk_file sock_file fifo_file })
> 
> This is in line with existing policy for httpd_sys_script_t I believe
> (and what I'm using in the fastcgi policy in mod_fcgid-selinux). It
> should be possible to use bugzilla without having httpd_unified set.
> 
> Paul.
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Who is creating the httpd_tmp_t files?  Is this a cgi that should be
labeled httpd_bugzilla_script_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeYrqoACgkQrlYvE4MpobNUfwCfSda6EL8h9tieGHDZD8WJqj9I
hAMAoKSQzRYfthJxusWW7iIrV/UPz6Xr
=p7rZ
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux