selinux preventing Bugzilla on FC5
James Garrison
jhg at athensgroup.com
Thu May 11 22:41:20 UTC 2006
Objective: Run bugzilla on FC5
Problem: selinux is getting in the way
First I had to change the file context for all of Bugzilla
to httpd_sys_content_t, and the .cgi components to
httpd_sys_script_exec_t. Next, I get the following when
Bugzilla tries to open a tcp socket to talk to the database:
> May 11 16:26:34 bugzilla kernel: audit(1147382794.700:3): avc:
> denied { create } for pid=18527 comm="index.cgi"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
No problem, according to the FAQ, just make a local module with audit2allow
and install it with semodule. Here's what actually happens:
> [jhg at bugzilla ~]$ audit2allow -M local < avc.dat
> Generating type enforcment file: local.te
> Compiling policy
> checkmodule -M -m -o local.mod local.te
> semodule_package -o local.pp -m local.mod
>
> ******************** IMPORTANT ***********************
>
> In order to load this newly created policy package into the kernel,
> you are required to execute
>
> semodule -i local.pp
>
>
> [jhg at bugzilla ~]$ sudo semodule -i local.pp
> semodule: Could not read file 'local.pp':
> [jhg at bugzilla ~]$ ls local*
> local.mod local.pp local.te
> [jhg at bugzilla ~]$
The problem is that semodule is not being allowed to read local.pp
by selinux itself:
> May 11 17:36:53 bugzilla kernel: audit(1147387013.477:14): avc:
> denied { search } for pid=19191 comm="semodule" name="root" dev=md1
> ino=942849 scontext=user_u:system_r:semanage_t:s0
> tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
I've tried various combinations of sudo vs being logged on
as root.
So I'm stuck. At this point I'm inclined to switch back to
non-enforcing mode and be done with it. Is it supposed to
be this hard to configure?
--
James Garrison Athens Group, Inc.
mailto:jhg at athensgroup.com 5608 Parkcrest Dr
http://www.athensgroup.com Austin, TX 78731
SKYPE callto:jhg-athensgroup (512) 345-0600 x150
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C
More information about the fedora-selinux-list
mailing list