selinux preventing Bugzilla on FC5

Daniel J Walsh dwalsh at redhat.com
Fri May 12 17:22:24 UTC 2006 

Paul Howarth wrote:
> On Thu, 2006-05-11 at 18:21 -0500, James Garrison wrote:
>   
>> The continuing saga....
>>
>>     
>>> May 11 18:11:05 bugzilla kernel: audit(1147389065.041:16): avc:  
>>> denied  { read } for  pid=19398 comm="index.cgi" name="resolv.conf" 
>>> dev=md1 ino=1106152 scontext=user_u:system_r:httpd_sys_script_t:s0 
>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>>> May 11 18:11:05 bugzilla kernel: audit(1147389065.045:17): avc:  
>>> denied  { create } for  pid=19398 comm="index.cgi" 
>>> scontext=user_u:system_r:httpd_sys_script_t:s0 
>>> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
>>> May 11 18:11:05 bugzilla kernel: audit(1147389065.045:18): avc:  
>>> denied  { create } for  pid=19398 comm="index.cgi" 
>>> scontext=user_u:system_r:httpd_sys_script_t:s0 
>>> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
>>> May 11 18:11:05 bugzilla kernel: audit(1147389065.045:19): avc:  
>>> denied  { shutdown } for  pid=19398 comm="index.cgi" 
>>> scontext=user_u:system_r:httpd_sys_script_t:s0 
>>> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
>>>       
>> It seems like I'm just going to have to keep trying and adding new
>> allow rules, 2 or 3 at a time, until I've hit everything not allowed
>> by selinux.  Surely I'm not the first person to try to get Bugzilla
>> running on FC5?
>>
>> Is there a better way to do this than trial and error?
>>     
>
>   

The latest policy will allow semodule to read users home directories 
also.  Since this bug seems to be coming up often.
Please send me you final policy files when you have it working.

> You could put SELinux in permissive mode:
>
> # setenforce 0
>
> then run bugzilla and get all of the SELinux denials logged, so you can
> deal with them all in one go. Then turn enforcing mode back on:
>
> # setenforce 1
>
> You might also consider looking at the bugzilla package currently making
> its way through the Fedora Extras review process:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359
>
> This probably doesn't include any SELinux support (at least not yet),
> but might be better to use from a maintainability standpoint.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
>
>
> The latest policy will allow semodule to read users home directories also.  Since this bug seems to be coming up often.
>
> Please send me you final policy files 
>
>

More information about the fedora-selinux-list mailing list