AVC denial with bugzilla from epel
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 24 15:28:42 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Howarth wrote:
> Rahul Sundaram wrote:
>> Tony Molloy wrote:
>>> Hi,
>>>
>>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm
>>> getting the following AVC denied message:
>>>
>>> Summary
>>> SELinux prevented httpd reading and writing access to http files.
>>>
>>> Detailed Description
>>> SELinux prevented httpd reading and writing access to http files.
>>> Ordinarily
>>> httpd is allowed full access to all files labeled with http file
>>> context.
>>> This machine has a tightened security policy with the
>>> httpd_unified turned
>>> off, This requires explicit labeling of all files. If a file is
>>> a cgi
>>> script it needs to be labeled with httpd_TYPE_script_exec_t in
>>> order to be
>>> executed. If it is read only content, it needs to be labeled
>>> httpd_TYPE_content_t, it is writable content. it needs to be labeled
>>> httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the
>>> chcon
>>> command to change these context. Please refer to the man page "man
>>> httpd_selinux" or
>>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
>>> refers toi one of "sys", "user" or "staff" or potentially other
>>> script
>>> types.
>>>
>>> Allowing Access
>>> Changing the "httpd_unified" boolean to true will allow this access:
>>> "setsebool -P httpd_unified=1"
>>>
>>> The following command will allow this access:
>>> setsebool -P httpd_unified=1
>>>
>>> Additional Information Source Context
>>> root:system_r:httpd_bugzilla_script_t
>>> Target Context root:object_r:httpd_tmp_t
>>> Target Objects /tmp/.NSPR-AFM-6806-97520c8.0 (deleted)
>>> [ file ]
>>> Affected RPM Packages Policy RPM
>>> selinux-policy-2.4.6-106.el5_1.3
>>> Selinux Enabled True
>>> Policy Type targeted
>>> MLS Enabled True
>>> Enforcing Mode Enforcing
>>> Plugin Name plugins.httpd_unified
>>> Host Name richmond.csis.ul.ie
>>> Platform Linux richmond.csis.ul.ie
>>> 2.6.18-53.1.4.el5 #1 SMP
>>> Fri Nov 30 00:45:16 EST 2007 i686 i686
>>> Alert Count 21
>>> Line Numbers
>>> Raw Audit Messages avc: denied { read, write } for
>>> comm="index.cgi" dev=sda6 egid=48 euid=48
>>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0
>>> path=2F746D702F2E4E5
>>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429
>>> pid=12090
>>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
>>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
>>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
>>>
>>> This seems to a denial to r/w a file in /tmp
>>>
>>> I can generate a local policy to allow this access with audit2allow
>>> but what is the correct way to handle this.
>>
>> The answer was within the report itself
>>
>> # setsebool -P httpd_unified=1
>
> What's probably needed is for the bugzilla policy to have:
>
> allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms;
> allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms;
> files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t,{
> dir file lnk_file sock_file fifo_file })
>
> This is in line with existing policy for httpd_sys_script_t I believe
> (and what I'm using in the fastcgi policy in mod_fcgid-selinux). It
> should be possible to use bugzilla without having httpd_unified set.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Who is creating the httpd_tmp_t files? Is this a cgi that should be
labeled httpd_bugzilla_script_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeYrqoACgkQrlYvE4MpobNUfwCfSda6EL8h9tieGHDZD8WJqj9I
hAMAoKSQzRYfthJxusWW7iIrV/UPz6Xr
=p7rZ
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list