Selinux and Reviewboard

Daniel J Walsh dwalsh at redhat.com
Wed Nov 4 14:43:21 UTC 2009 

On 11/03/2009 11:14 AM, Vadym Chepkov wrote:
> Hi,
> 
> I am trying to install ReviewBoard (www.reviewboard.org) on selinux enabled server and there are a lot of problems so far. I wonder if anybody have the policy they could share. I got to the point where I get these:
> 
> time->Tue Nov  3 16:06:41 2009
> type=SYSCALL msg=audit(1257264401.953:9042): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=20d4b0 a2=5 a3=802 items=0 ppid=3448 pid=3450 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1257264401.953:9042): avc:  denied  { execute } for  pid=3450 comm="httpd" path="/var/www/reviews/tmp/egg_cache/MySQL_python-1.2.3c1-py2.4-linux-x86_64.egg-tmp/_mysql.so" dev=sda1 ino=378349 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
> ----
> time->Tue Nov  3 16:06:41 2009
> type=SYSCALL msg=audit(1257264401.553:9041): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=205848 a2=5 a3=802 items=0 ppid=3448 pid=3450 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1257264401.553:9041): avc:  denied  { execute } for  pid=3450 comm="httpd" path="/var/www/reviews/tmp/egg_cache/cmemcache-0.95-py2.4-linux-x86_64.egg-tmp/_cmemcache.so" dev=sda1 ino=378290 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file
> 
> As far as I understand the code creates dynamic libraries which it tries to execute later. I obviously need to handle this carefully, so I need an expert advise. Thank you.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
This looks like it was created in /tmp and mv'd to this directory?

The label of this directory should be 

/var/www/reviews/tmp/egg_cache/MySQL_python-1.2.3c1-py2.4-linux-x86_64.egg-tmp/_mysql.so

# /usr/sbin/matchpathcon /var/www/reviews/tmp/egg_cache/MySQL_python-1.2.3c1-py2.4-linux-x86_64.egg-tmp/_mysql.so
/var/www/reviews/tmp/egg_cache/MySQL_python-1.2.3c1-py2.4-linux-x86_64.egg-tmp/_mysql.so	system_u:object_r:httpd_sys_content_t:s0


It should definitely not be tmp_t.

More information about the fedora-selinux-list mailing list