selinux preventing Bugzilla on FC5

James Garrison jhg at athensgroup.com
Thu May 11 22:41:20 UTC 2006 

Objective:   Run bugzilla on FC5
Problem:     selinux is getting in the way

First I had to change the file context for all of Bugzilla
to httpd_sys_content_t, and the .cgi components to
httpd_sys_script_exec_t.  Next, I get the following when
Bugzilla tries to open a tcp socket to talk to the database:

> May 11 16:26:34 bugzilla kernel: audit(1147382794.700:3): avc:  
> denied  { create } for  pid=18527 comm="index.cgi" 
> scontext=user_u:system_r:httpd_sys_script_t:s0 
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket

No problem, according to the FAQ, just make a local module with audit2allow
and install it with semodule.  Here's what actually happens:

> [jhg at bugzilla ~]$ audit2allow -M local < avc.dat
> Generating type enforcment file: local.te
> Compiling policy
> checkmodule -M -m -o local.mod local.te
> semodule_package -o local.pp -m local.mod
>
> ******************** IMPORTANT ***********************
>
> In order to load this newly created policy package into the kernel,
> you are required to execute
>
> semodule -i local.pp
>
>
> [jhg at bugzilla ~]$ sudo semodule -i local.pp
> semodule:  Could not read file 'local.pp':
> [jhg at bugzilla ~]$ ls local*
> local.mod  local.pp  local.te
> [jhg at bugzilla ~]$

The problem is that semodule is not being allowed to read local.pp
by selinux itself:

> May 11 17:36:53 bugzilla kernel: audit(1147387013.477:14): avc:  
> denied  { search } for  pid=19191 comm="semodule" name="root" dev=md1 
> ino=942849 scontext=user_u:system_r:semanage_t:s0 
> tcontext=root:object_r:user_home_dir_t:s0 tclass=dir

I've tried various combinations of sudo vs being logged on
as root.

So I'm stuck.  At this point I'm inclined to switch back to
non-enforcing mode and be done with it.  Is it supposed to
be this hard to configure?

-- 
James Garrison                                Athens Group, Inc.
mailto:jhg at athensgroup.com                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
SKYPE callto:jhg-athensgroup                  (512) 345-0600 x150
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C

More information about the fedora-selinux-list mailing list