Don't know why this didn't get through last night ( my time ;-0 ) ---------- Forwarded Message ---------- Subject: Re: AVC denial with bugzilla from epel Date: Thursday 24 January 2008 From: Tony Molloy <tony.molloy@xxxxx> To: fedora-selinux-list@xxxxxxxxxx On Thursday 24 January 2008 15:28:42 Daniel J Walsh wrote: > Paul Howarth wrote: > > Rahul Sundaram wrote: > >> Tony Molloy wrote: > >>> Hi, > >>> > >>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm > >>> getting the following AVC denied message: > >>> > >>> Summary > >>> SELinux prevented httpd reading and writing access to http files. > >>> > >>> Detailed Description > >>> SELinux prevented httpd reading and writing access to http files. > >>> Ordinarily > >>> httpd is allowed full access to all files labeled with http file > >>> context. > >>> This machine has a tightened security policy with the > >>> httpd_unified turned > >>> off, This requires explicit labeling of all files. If a file is > >>> a cgi > >>> script it needs to be labeled with httpd_TYPE_script_exec_t in > >>> order to be > >>> executed. If it is read only content, it needs to be labeled > >>> httpd_TYPE_content_t, it is writable content. it needs to be > >>> labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use > >>> the chcon > >>> command to change these context. Please refer to the man page "man > >>> httpd_selinux" or > >>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE" > >>> refers toi one of "sys", "user" or "staff" or potentially other > >>> script > >>> types. > >>> > >>> Allowing Access > >>> Changing the "httpd_unified" boolean to true will allow this > >>> access: "setsebool -P httpd_unified=1" > >>> > >>> The following command will allow this access: > >>> setsebool -P httpd_unified=1 > >>> > >>> Additional Information Source Context > >>> root:system_r:httpd_bugzilla_script_t > >>> Target Context root:object_r:httpd_tmp_t > >>> Target Objects /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) > >>> [ file ] > >>> Affected RPM Packages Policy RPM > >>> selinux-policy-2.4.6-106.el5_1.3 > >>> Selinux Enabled True > >>> Policy Type targeted > >>> MLS Enabled True > >>> Enforcing Mode Enforcing > >>> Plugin Name plugins.httpd_unified > >>> Host Name richmond.csis.ul.ie > >>> Platform Linux richmond.csis.ul.ie > >>> 2.6.18-53.1.4.el5 #1 SMP > >>> Fri Nov 30 00:45:16 EST 2007 i686 i686 > >>> Alert Count 21 > >>> Line Numbers > >>> Raw Audit Messages avc: denied { read, write } for > >>> comm="index.cgi" dev=sda6 egid=48 euid=48 > >>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 > >>> path=2F746D702F2E4E5 > >>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429 > >>> pid=12090 > >>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48 > >>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file > >>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48 > >>> > >>> This seems to a denial to r/w a file in /tmp > >>> > >>> I can generate a local policy to allow this access with audit2allow > >>> but what is the correct way to handle this. > >> > >> The answer was within the report itself > >> > >> # setsebool -P httpd_unified=1 > > >Who is creating the httpd_tmp_t files? Is this a cgi that should be >labeled httpd_bugzilla_script_t. Several perl cgi scripts create tmp files. >From the above it's index.cgi. The permissions on all these scripts are the same. -rwxr-x--- root apache system_u:object_r:httpd_bugzilla_script_exec_t index.cgi I created a local policy and bugzilla is working. I also submitted this as bug 429879 to bugzilla. Thanks, Tony ------------------------------------------------------- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list