-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > Rahul Sundaram wrote: >> Tony Molloy wrote: >>> Hi, >>> >>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm >>> getting the following AVC denied message: >>> >>> Summary >>> SELinux prevented httpd reading and writing access to http files. >>> >>> Detailed Description >>> SELinux prevented httpd reading and writing access to http files. >>> Ordinarily >>> httpd is allowed full access to all files labeled with http file >>> context. >>> This machine has a tightened security policy with the >>> httpd_unified turned >>> off, This requires explicit labeling of all files. If a file is >>> a cgi >>> script it needs to be labeled with httpd_TYPE_script_exec_t in >>> order to be >>> executed. If it is read only content, it needs to be labeled >>> httpd_TYPE_content_t, it is writable content. it needs to be labeled >>> httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the >>> chcon >>> command to change these context. Please refer to the man page "man >>> httpd_selinux" or >>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE" >>> refers toi one of "sys", "user" or "staff" or potentially other >>> script >>> types. >>> >>> Allowing Access >>> Changing the "httpd_unified" boolean to true will allow this access: >>> "setsebool -P httpd_unified=1" >>> >>> The following command will allow this access: >>> setsebool -P httpd_unified=1 >>> >>> Additional Information Source Context >>> root:system_r:httpd_bugzilla_script_t >>> Target Context root:object_r:httpd_tmp_t >>> Target Objects /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) >>> [ file ] >>> Affected RPM Packages Policy RPM >>> selinux-policy-2.4.6-106.el5_1.3 >>> Selinux Enabled True >>> Policy Type targeted >>> MLS Enabled True >>> Enforcing Mode Enforcing >>> Plugin Name plugins.httpd_unified >>> Host Name richmond.csis.ul.ie >>> Platform Linux richmond.csis.ul.ie >>> 2.6.18-53.1.4.el5 #1 SMP >>> Fri Nov 30 00:45:16 EST 2007 i686 i686 >>> Alert Count 21 >>> Line Numbers >>> Raw Audit Messages avc: denied { read, write } for >>> comm="index.cgi" dev=sda6 egid=48 euid=48 >>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 >>> path=2F746D702F2E4E5 >>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429 >>> pid=12090 >>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48 >>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file >>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48 >>> >>> This seems to a denial to r/w a file in /tmp >>> >>> I can generate a local policy to allow this access with audit2allow >>> but what is the correct way to handle this. >> >> The answer was within the report itself >> >> # setsebool -P httpd_unified=1 > > What's probably needed is for the bugzilla policy to have: > > allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms; > allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms; > files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t,{ > dir file lnk_file sock_file fifo_file }) > > This is in line with existing policy for httpd_sys_script_t I believe > (and what I'm using in the fastcgi policy in mod_fcgid-selinux). It > should be possible to use bugzilla without having httpd_unified set. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Who is creating the httpd_tmp_t files? Is this a cgi that should be labeled httpd_bugzilla_script_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeYrqoACgkQrlYvE4MpobNUfwCfSda6EL8h9tieGHDZD8WJqj9I hAMAoKSQzRYfthJxusWW7iIrV/UPz6Xr =p7rZ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
