Bug 429879

Summary: AVC denied with bugzilla on epel-5
Product: [Fedora] Fedora EPEL Reporter: Tony Molloy <tony.molloy>
Component: bugzillaAssignee: John Berninger <john>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: el5CC: dwalsh, herrold, itamar, mastahnke, tony.molloy
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: ActualBug
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-28 10:46:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tony Molloy 2008-01-23 16:20:06 UTC 
Description of problem:

When I install bugzilla from epel-5 on CentOS-5 I get the followinf AVC denied
message.

Version-Release number of selected component (if applicable):

bugzilla-3.0.2-0.el5

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:

From setroubleshoot

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. 
Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off,  This requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these context.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers toi one of "sys", "user" or "staff" or potentially other script
    types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1
Additional Information        

Source Context                root:system_r:httpd_bugzilla_script_t
Target Context                root:object_r:httpd_tmp_t
Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     richmond.csis.ul.ie
Platform                      Linux richmond.csis.ul.ie 2.6.18-53.1.4.el5 #1 
SMP
                              Fri Nov 30 00:45:16 EST 2007 i686 i686
Alert Count                   21

Raw Audit Messages            

avc: denied { read, write } for comm="index.cgi" dev=sda6 egid=48 euid=48
exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 
path=2F746D702F2E4E5
350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12090
scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48


Expected results:


Additional info:

I get a couple of other AVC messages but all seem to refer to the /tmp directory.

For instance
Raw Audit Messages            

avc: denied { read, write } for comm="userprefs.cgi" dev=sda6 egid=48 euid=48
exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 path=2F746D702F2E4E5
350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12961
scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
Comment 1 Itamar Reis Peixoto 2009-07-28 03:42:48 UTC 
hi, do you still have these problems ?

Can you give more details ?
Comment 2 Tony Molloy 2009-07-28 07:04:42 UTC 
That bug was reported 18 months ago. I've done several upgrades since then and sorted out the problem with the help of Daniel Walshe
Comment 3 Itamar Reis Peixoto 2009-07-28 10:46:12 UTC 
I am sorry, if you have more problem's please open a new bug and I will try to help.
Comment 4 Tony Molloy 2009-07-28 12:03:33 UTC 
No problem. I have the latest Bugzilla working now with centOS 5.3. It was just a mater of setting the right contexts for the files.