Fwd: Re: AVC denial with bugzilla from epel
Tony Molloy
tony.molloy at ul.ie
Fri Jan 25 08:26:24 UTC 2008
Don't know why this didn't get through last night ( my time ;-0 )
---------- Forwarded Message ----------
Subject: Re: AVC denial with bugzilla from epel
Date: Thursday 24 January 2008
From: Tony Molloy <tony.molloy at ul.ie>
To: fedora-selinux-list at redhat.com
On Thursday 24 January 2008 15:28:42 Daniel J Walsh wrote:
> Paul Howarth wrote:
> > Rahul Sundaram wrote:
> >> Tony Molloy wrote:
> >>> Hi,
> >>>
> >>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm
> >>> getting the following AVC denied message:
> >>>
> >>> Summary
> >>> SELinux prevented httpd reading and writing access to http files.
> >>>
> >>> Detailed Description
> >>> SELinux prevented httpd reading and writing access to http files.
> >>> Ordinarily
> >>> httpd is allowed full access to all files labeled with http file
> >>> context.
> >>> This machine has a tightened security policy with the
> >>> httpd_unified turned
> >>> off, This requires explicit labeling of all files. If a file is
> >>> a cgi
> >>> script it needs to be labeled with httpd_TYPE_script_exec_t in
> >>> order to be
> >>> executed. If it is read only content, it needs to be labeled
> >>> httpd_TYPE_content_t, it is writable content. it needs to be
> >>> labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use
> >>> the chcon
> >>> command to change these context. Please refer to the man page "man
> >>> httpd_selinux" or
> >>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
> >>> refers toi one of "sys", "user" or "staff" or potentially other
> >>> script
> >>> types.
> >>>
> >>> Allowing Access
> >>> Changing the "httpd_unified" boolean to true will allow this
> >>> access: "setsebool -P httpd_unified=1"
> >>>
> >>> The following command will allow this access:
> >>> setsebool -P httpd_unified=1
> >>>
> >>> Additional Information Source Context
> >>> root:system_r:httpd_bugzilla_script_t
> >>> Target Context root:object_r:httpd_tmp_t
> >>> Target Objects /tmp/.NSPR-AFM-6806-97520c8.0 (deleted)
> >>> [ file ]
> >>> Affected RPM Packages Policy RPM
> >>> selinux-policy-2.4.6-106.el5_1.3
> >>> Selinux Enabled True
> >>> Policy Type targeted
> >>> MLS Enabled True
> >>> Enforcing Mode Enforcing
> >>> Plugin Name plugins.httpd_unified
> >>> Host Name richmond.csis.ul.ie
> >>> Platform Linux richmond.csis.ul.ie
> >>> 2.6.18-53.1.4.el5 #1 SMP
> >>> Fri Nov 30 00:45:16 EST 2007 i686 i686
> >>> Alert Count 21
> >>> Line Numbers
> >>> Raw Audit Messages avc: denied { read, write } for
> >>> comm="index.cgi" dev=sda6 egid=48 euid=48
> >>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0
> >>> path=2F746D702F2E4E5
> >>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429
> >>> pid=12090
> >>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
> >>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
> >>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
> >>>
> >>> This seems to a denial to r/w a file in /tmp
> >>>
> >>> I can generate a local policy to allow this access with audit2allow
> >>> but what is the correct way to handle this.
> >>
> >> The answer was within the report itself
> >>
> >> # setsebool -P httpd_unified=1
> >
>Who is creating the httpd_tmp_t files? Is this a cgi that should be
>labeled httpd_bugzilla_script_t.
Several perl cgi scripts create tmp files.
>From the above it's index.cgi. The permissions on all these scripts are the
same.
-rwxr-x--- root apache system_u:object_r:httpd_bugzilla_script_exec_t
index.cgi
I created a local policy and bugzilla is working. I also submitted this as
bug 429879 to bugzilla.
Thanks,
Tony
-------------------------------------------------------
More information about the fedora-selinux-list
mailing list