On Friday 25 January 2008 00:13:07 Paul Howarth wrote: > On Thu, 24 Jan 2008 10:28:42 -0500 > > Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Paul Howarth wrote: > > > Rahul Sundaram wrote: > > >> Tony Molloy wrote: > > >>> Hi, > > >>> > > >>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm > > >>> getting the following AVC denied message: > > >>> > > >>> Summary > > >>> SELinux prevented httpd reading and writing access to http > > >>> files. > > >>> > > >>> Detailed Description > > >>> SELinux prevented httpd reading and writing access to http > > >>> files. Ordinarily > > >>> httpd is allowed full access to all files labeled with http > > >>> file context. > > >>> This machine has a tightened security policy with the > > >>> httpd_unified turned > > >>> off, This requires explicit labeling of all files. If a > > >>> file is a cgi > > >>> script it needs to be labeled with httpd_TYPE_script_exec_t in > > >>> order to be > > >>> executed. If it is read only content, it needs to be labeled > > >>> httpd_TYPE_content_t, it is writable content. it needs to be > > >>> labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can > > >>> use the chcon > > >>> command to change these context. Please refer to the man > > >>> page "man httpd_selinux" or > > >>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE" > > >>> refers toi one of "sys", "user" or "staff" or potentially > > >>> other script > > >>> types. > > >>> > > >>> Allowing Access > > >>> Changing the "httpd_unified" boolean to true will allow this > > >>> access: "setsebool -P httpd_unified=1" > > >>> > > >>> The following command will allow this access: > > >>> setsebool -P httpd_unified=1 > > >>> > > >>> Additional Information Source Context > > >>> root:system_r:httpd_bugzilla_script_t > > >>> Target Context root:object_r:httpd_tmp_t > > >>> Target Objects /tmp/.NSPR-AFM-6806-97520c8.0 > > >>> (deleted) [ file ] > > >>> Affected RPM Packages Policy RPM > > >>> selinux-policy-2.4.6-106.el5_1.3 > > >>> Selinux Enabled True > > >>> Policy Type targeted > > >>> MLS Enabled True > > >>> Enforcing Mode Enforcing > > >>> Plugin Name plugins.httpd_unified > > >>> Host Name richmond.csis.ul.ie > > >>> Platform Linux richmond.csis.ul.ie > > >>> 2.6.18-53.1.4.el5 #1 SMP > > >>> Fri Nov 30 00:45:16 EST 2007 i686 > > >>> i686 Alert Count 21 > > >>> Line Numbers > > >>> Raw Audit Messages avc: denied { read, write } for > > >>> comm="index.cgi" dev=sda6 egid=48 euid=48 > > >>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 > > >>> path=2F746D702F2E4E5 > > >>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429 > > >>> pid=12090 > > >>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48 > > >>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file > > >>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48 > > >>> > > >>> This seems to a denial to r/w a file in /tmp > > >>> > > >>> I can generate a local policy to allow this access with > > >>> audit2allow but what is the correct way to handle this. > > >> > > >> The answer was within the report itself > > >> > > >> # setsebool -P httpd_unified=1 > > > > > > What's probably needed is for the bugzilla policy to have: > > > > > > allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms; > > > allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms; > > > files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t, > > >{ dir file lnk_file sock_file fifo_file }) > > > > > > This is in line with existing policy for httpd_sys_script_t I > > > believe (and what I'm using in the fastcgi policy in > > > mod_fcgid-selinux). It should be possible to use bugzilla without > > > having httpd_unified set. > > > > > > Paul. > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list@xxxxxxxxxx > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > Who is creating the httpd_tmp_t files? Is this a cgi that should be > > labeled httpd_bugzilla_script_t. > > Bugzilla is a perl CGI that is labelled httpd_bugzilla_script_exec_t I > believe and runs as httpd_bugzilla_script_t. > > I'm not entirely sure what's happening in this case but I had an almost > exactly the same issue with httpd_fastcgi_script_t (policy in the > mod_fcgid-selinux package) when running the moin wiki (python-based) > using mod_fcgid, which runs the web app as a CGI. The problem I had was > creating attachments in the wiki, which generated the same sort of > failures. I noticed the following in the apache policy on Fedora: > > # php uploads a file to /tmp and then execs programs to acton them > manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) > manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t) > files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file > lnk_file sock_file fifo_file }) > > > That looked very similar to the issue I had so I replicated this bit of > policy for httpd_fastcgi_script_t and indeed it fixed the problem. And > in fact I now see that the Fedora policy already has this: > > manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugz >illa_tmp_t) > manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bug >zilla_tmp_t) > files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir > }) > > So maybe this issue is already fixed in Fedora but not EPEL? > > Paul. > Thanks for the explanation Paul. What I did was create a local policy using audit2allow and it works fine now. Tony > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
