AVC denial with bugzilla from epel

Tony Molloy tony.molloy at ul.ie
Wed Jan 23 11:40:36 UTC 2008 

Hi,

I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm getting the 
following AVC denied message:

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. 
Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off,  This requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these context.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers toi one of "sys", "user" or "staff" or potentially other script
    types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information        

Source Context                root:system_r:httpd_bugzilla_script_t
Target Context                root:object_r:httpd_tmp_t
Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     richmond.csis.ul.ie
Platform                      Linux richmond.csis.ul.ie 2.6.18-53.1.4.el5 #1 
SMP
                              Fri Nov 30 00:45:16 EST 2007 i686 i686
Alert Count                   21
Line Numbers                  


Raw Audit Messages            

avc: denied { read, write } for comm="index.cgi" dev=sda6 egid=48 euid=48
exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 
path=2F746D702F2E4E5
350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12090
scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48

This seems to a denial to r/w a file in /tmp

I can generate a local policy to allow this access with audit2allow but what 
is the correct way to handle this.

Regards,

Tony

More information about the fedora-selinux-list mailing list