FC5, Apache, Bugzilla, SELinux issues

R Edmonds redmonds98 at googlemail.com
Thu Jan 4 14:24:07 UTC 2007


Greetings out there in Penguin-land!

I'm going through the rather painful process of installing Bugzilla on an
SELinux FC5 box. I'm almost there now, I think, however I'm trying to add a
local policy to SELinux for allowing Apache to execute .cgi scripts, and
have hit a brick wall.

When I try to hit the Bugzilla page from a browser on the network I get
this:

tail -f /var/log/messages output:

kernel: audit(1167911234.610:20): avc:  denied  { execute_no_trans } for
pid=28833 comm="httpd" name=" index.cgi" dev=dm-0 ino=34931972
scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file

So, following the guide in the fedora docs
Here<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385>I
generated a
local.te using *audit2allow -m local -l -i /var/log/messages > local.te *,
compiled it using *checkmodule -M -m -o local.mod local.te*, packaged it
using *semodule_package -o local.pp -m local.mod*, then attempted to add it
to the current running policy using *semodule -i local.pp *. This point is
where I get stuck. i'm seeing this output when I execute the command:

tail -f /var/log/messages output:

Jan  4 11:56:13 svn kernel: security:  3 users, 6 roles, 1481 types, 152
bools, 1 sens, 256 cats
Jan  4 11:56:13 svn kernel: security:  58 classes, 43474 rules
Jan  4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=7) : exe="?" (sauid=81, hostname=?,
addr=?, terminal=?)
Jan  4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc:  0 AV
entries and 0/512 buckets used, longest chain length 0 : exe="?" (sauid=81,
hostname=?, addr=?, terminal=?)
Jan  4 11:56:13 svn kernel: audit( 1167911773.820:21): policy loaded
auid=4294967295

After looking around, I saw on this mailing list that this might be a bug in
SELinux-Policy that was fixed in version 2.3.14-3. Yum doesn't seem to know
about this newer version. Am I barking up the wrong tree?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070104/1d8a97fa/attachment.htm>


More information about the fedora-selinux-list mailing list