AVC denial with bugzilla from epel

Paul Howarth paul at city-fan.org
Fri Jan 25 00:13:07 UTC 2008 

On Thu, 24 Jan 2008 10:28:42 -0500
Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Paul Howarth wrote:
> > Rahul Sundaram wrote:
> >> Tony Molloy wrote:
> >>> Hi,
> >>>
> >>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm
> >>> getting the following AVC denied message:
> >>>
> >>> Summary
> >>>     SELinux prevented httpd reading and writing access to http
> >>> files.
> >>>
> >>> Detailed Description
> >>>     SELinux prevented httpd reading and writing access to http
> >>> files. Ordinarily
> >>>     httpd is allowed full access to all files labeled with http
> >>> file context.
> >>>     This machine has a tightened security policy with the
> >>> httpd_unified turned
> >>>     off,  This requires explicit labeling of all files.  If a
> >>> file is a cgi
> >>>     script it needs to be labeled with httpd_TYPE_script_exec_t in
> >>> order to be
> >>>     executed.  If it is read only content, it needs to be labeled
> >>>     httpd_TYPE_content_t, it is writable content. it needs to be
> >>> labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can
> >>> use the chcon
> >>>     command to change these context.  Please refer to the man
> >>> page "man httpd_selinux" or
> >>> http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
> >>>     refers toi one of "sys", "user" or "staff" or potentially
> >>> other script
> >>>     types.
> >>>
> >>> Allowing Access
> >>>     Changing the "httpd_unified" boolean to true will allow this
> >>> access: "setsebool -P httpd_unified=1"
> >>>
> >>>     The following command will allow this access:
> >>>     setsebool -P httpd_unified=1
> >>>
> >>> Additional Information       Source Context               
> >>> root:system_r:httpd_bugzilla_script_t
> >>> Target Context                root:object_r:httpd_tmp_t
> >>> Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0
> >>> (deleted) [ file ]
> >>> Affected RPM Packages         Policy RPM                   
> >>> selinux-policy-2.4.6-106.el5_1.3
> >>> Selinux Enabled               True
> >>> Policy Type                   targeted
> >>> MLS Enabled                   True
> >>> Enforcing Mode                Enforcing
> >>> Plugin Name                   plugins.httpd_unified
> >>> Host Name                     richmond.csis.ul.ie
> >>> Platform                      Linux richmond.csis.ul.ie
> >>> 2.6.18-53.1.4.el5 #1 SMP
> >>>                               Fri Nov 30 00:45:16 EST 2007 i686
> >>> i686 Alert Count                   21
> >>> Line Numbers                
> >>> Raw Audit Messages           avc: denied { read, write } for
> >>> comm="index.cgi" dev=sda6 egid=48 euid=48
> >>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0
> >>> path=2F746D702F2E4E5
> >>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429
> >>> pid=12090
> >>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
> >>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
> >>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
> >>>
> >>> This seems to a denial to r/w a file in /tmp
> >>>
> >>> I can generate a local policy to allow this access with
> >>> audit2allow but what is the correct way to handle this.
> >>
> >> The answer was within the report itself
> >>
> >> #  setsebool -P httpd_unified=1
> > 
> > What's probably needed is for the bugzilla policy to have:
> > 
> > allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms;
> > allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms;
> > files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t,{
> > dir file lnk_file sock_file fifo_file })
> > 
> > This is in line with existing policy for httpd_sys_script_t I
> > believe (and what I'm using in the fastcgi policy in
> > mod_fcgid-selinux). It should be possible to use bugzilla without
> > having httpd_unified set.
> > 
> > Paul.
> > 
> > -- 
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Who is creating the httpd_tmp_t files?  Is this a cgi that should be
> labeled httpd_bugzilla_script_t.

Bugzilla is a perl CGI that is labelled httpd_bugzilla_script_exec_t I
believe and runs as httpd_bugzilla_script_t.

I'm not entirely sure what's happening in this case but I had an almost
exactly the same issue with httpd_fastcgi_script_t (policy in the
mod_fcgid-selinux package) when running the moin wiki (python-based)
using mod_fcgid, which runs the web app as a CGI. The problem I had was
creating attachments in the wiki, which generated the same sort of
failures. I noticed the following in the apache policy on Fedora:

# php uploads a file to /tmp and then execs programs to acton them
manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file
lnk_file sock_file fifo_file })


That looked very similar to the issue I had so I replicated this bit of
policy for httpd_fastcgi_script_t and indeed it fixed the problem. And
in fact I now see that the Fedora policy already has this:

manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file
dir })

So maybe this issue is already fixed in Fedora but not EPEL?

Paul.

More information about the fedora-selinux-list mailing list