AVC denial with bugzilla from epel

Rahul Sundaram sundaram at fedoraproject.org
Wed Jan 23 12:17:54 UTC 2008 

Tony Molloy wrote:
> Hi,
> 
> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm getting the 
> following AVC denied message:
> 
> Summary
>     SELinux prevented httpd reading and writing access to http files.
> 
> Detailed Description
>     SELinux prevented httpd reading and writing access to http files. 
> Ordinarily
>     httpd is allowed full access to all files labeled with http file context.
>     This machine has a tightened security policy with the httpd_unified turned
>     off,  This requires explicit labeling of all files.  If a file is a cgi
>     script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
>     executed.  If it is read only content, it needs to be labeled
>     httpd_TYPE_content_t, it is writable content. it needs to be labeled
>     httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
>     command to change these context.  Please refer to the man page "man
>     httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
>     refers toi one of "sys", "user" or "staff" or potentially other script
>     types.
> 
> Allowing Access
>     Changing the "httpd_unified" boolean to true will allow this access:
>     "setsebool -P httpd_unified=1"
> 
>     The following command will allow this access:
>     setsebool -P httpd_unified=1
> 
> Additional Information        
> 
> Source Context                root:system_r:httpd_bugzilla_script_t
> Target Context                root:object_r:httpd_tmp_t
> Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) [ file ]
> Affected RPM Packages         
> Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.httpd_unified
> Host Name                     richmond.csis.ul.ie
> Platform                      Linux richmond.csis.ul.ie 2.6.18-53.1.4.el5 #1 
> SMP
>                               Fri Nov 30 00:45:16 EST 2007 i686 i686
> Alert Count                   21
> Line Numbers                  
> 
> 
> Raw Audit Messages            
> 
> avc: denied { read, write } for comm="index.cgi" dev=sda6 egid=48 euid=48
> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 
> path=2F746D702F2E4E5
> 350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12090
> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
> 
> This seems to a denial to r/w a file in /tmp
> 
> I can generate a local policy to allow this access with audit2allow but what 
> is the correct way to handle this.

The answer was within the report itself

#  setsebool -P httpd_unified=1

Rahul

More information about the fedora-selinux-list mailing list