Re: AVC denial with bugzilla from epel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 25 January 2008 00:13:07 Paul Howarth wrote:
> On Thu, 24 Jan 2008 10:28:42 -0500
>
> Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Paul Howarth wrote:
> > > Rahul Sundaram wrote:
> > >> Tony Molloy wrote:
> > >>> Hi,
> > >>>
> > >>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm
> > >>> getting the following AVC denied message:
> > >>>
> > >>> Summary
> > >>>     SELinux prevented httpd reading and writing access to http
> > >>> files.
> > >>>
> > >>> Detailed Description
> > >>>     SELinux prevented httpd reading and writing access to http
> > >>> files. Ordinarily
> > >>>     httpd is allowed full access to all files labeled with http
> > >>> file context.
> > >>>     This machine has a tightened security policy with the
> > >>> httpd_unified turned
> > >>>     off,  This requires explicit labeling of all files.  If a
> > >>> file is a cgi
> > >>>     script it needs to be labeled with httpd_TYPE_script_exec_t in
> > >>> order to be
> > >>>     executed.  If it is read only content, it needs to be labeled
> > >>>     httpd_TYPE_content_t, it is writable content. it needs to be
> > >>> labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can
> > >>> use the chcon
> > >>>     command to change these context.  Please refer to the man
> > >>> page "man httpd_selinux" or
> > >>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
> > >>>     refers toi one of "sys", "user" or "staff" or potentially
> > >>> other script
> > >>>     types.
> > >>>
> > >>> Allowing Access
> > >>>     Changing the "httpd_unified" boolean to true will allow this
> > >>> access: "setsebool -P httpd_unified=1"
> > >>>
> > >>>     The following command will allow this access:
> > >>>     setsebool -P httpd_unified=1
> > >>>
> > >>> Additional Information       Source Context
> > >>> root:system_r:httpd_bugzilla_script_t
> > >>> Target Context                root:object_r:httpd_tmp_t
> > >>> Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0
> > >>> (deleted) [ file ]
> > >>> Affected RPM Packages         Policy RPM
> > >>> selinux-policy-2.4.6-106.el5_1.3
> > >>> Selinux Enabled               True
> > >>> Policy Type                   targeted
> > >>> MLS Enabled                   True
> > >>> Enforcing Mode                Enforcing
> > >>> Plugin Name                   plugins.httpd_unified
> > >>> Host Name                     richmond.csis.ul.ie
> > >>> Platform                      Linux richmond.csis.ul.ie
> > >>> 2.6.18-53.1.4.el5 #1 SMP
> > >>>                               Fri Nov 30 00:45:16 EST 2007 i686
> > >>> i686 Alert Count                   21
> > >>> Line Numbers
> > >>> Raw Audit Messages           avc: denied { read, write } for
> > >>> comm="index.cgi" dev=sda6 egid=48 euid=48
> > >>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0
> > >>> path=2F746D702F2E4E5
> > >>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429
> > >>> pid=12090
> > >>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
> > >>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
> > >>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
> > >>>
> > >>> This seems to a denial to r/w a file in /tmp
> > >>>
> > >>> I can generate a local policy to allow this access with
> > >>> audit2allow but what is the correct way to handle this.
> > >>
> > >> The answer was within the report itself
> > >>
> > >> #  setsebool -P httpd_unified=1
> > >
> > > What's probably needed is for the bugzilla policy to have:
> > >
> > > allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms;
> > > allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms;
> > > files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t,
> > >{ dir file lnk_file sock_file fifo_file })
> > >
> > > This is in line with existing policy for httpd_sys_script_t I
> > > believe (and what I'm using in the fastcgi policy in
> > > mod_fcgid-selinux). It should be possible to use bugzilla without
> > > having httpd_unified set.
> > >
> > > Paul.
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> > Who is creating the httpd_tmp_t files?  Is this a cgi that should be
> > labeled httpd_bugzilla_script_t.
>
> Bugzilla is a perl CGI that is labelled httpd_bugzilla_script_exec_t I
> believe and runs as httpd_bugzilla_script_t.
>
> I'm not entirely sure what's happening in this case but I had an almost
> exactly the same issue with httpd_fastcgi_script_t (policy in the
> mod_fcgid-selinux package) when running the moin wiki (python-based)
> using mod_fcgid, which runs the web app as a CGI. The problem I had was
> creating attachments in the wiki, which generated the same sort of
> failures. I noticed the following in the apache policy on Fedora:
>
> # php uploads a file to /tmp and then execs programs to acton them
> manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
> manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
> files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file
> lnk_file sock_file fifo_file })
>
>
> That looked very similar to the issue I had so I replicated this bit of
> policy for httpd_fastcgi_script_t and indeed it fixed the problem. And
> in fact I now see that the Fedora policy already has this:
>
> manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugz
>illa_tmp_t)
> manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bug
>zilla_tmp_t)
> files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir
> })
>
> So maybe this issue is already fixed in Fedora but not EPEL?
>
> Paul.
>

Thanks for the explanation Paul.

What I did was create a local policy using audit2allow and it works fine now.

Tony
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux