Bug 966321
| Summary: | SELinux is preventing /usr/bin/perl from 'write' accesses on the file /var/www/html/bugzilla/data/db/bugs. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Moez Roy <moez.roy> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl, moez.roy |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:7af975850e189fb3e298e5e26eca6ed091e7f4a232021a09ae7ac78ae0cdabe9 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-05-28 09:07:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The alert tells you what to do. Either you can change labeling to httpd_sys_rw_content_t or you can turn on the httpd_unified boolean. What does # rpm -qf /var/www/html/bugzilla/data/db *** Bug 966322 has been marked as a duplicate of this bug. *** *** Bug 966323 has been marked as a duplicate of this bug. *** (In reply to Miroslav Grepl from comment #2) > What does > > # rpm -qf /var/www/html/bugzilla/data/db This was not installed using rpm/yum because it puts the data any lots of places, and it is not up to date. I changed the labeling to httpd_sys_rw_content_t but it did not work. http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-4.4.tar.gz 1. extracted to home dir. 2. ran ./checksetup.pl as root (it was not working as regular user) 3. renamed folder bugzilla-4.4 to bugzilla. 4. cut and paste bugzilla folder to /var/www/html 5. in /etc/httpd/conf.d make a file called bugzilla.conf with the following code: <Directory /var/www/html/bugzilla> AddHandler cgi-script .cgi Options +ExecCGI DirectoryIndex index.cgi index.html AllowOverride Limit FileInfo Indexes Options </Directory> 6. sudo service httpd start 7. Go here http://localhost/bugzilla What was wrong with httpd_sys_rw_content_t? I did this:(In reply to Miroslav Grepl from comment #6) > What was wrong with httpd_sys_rw_content_t? I did: sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/bugzilla/data/db/bugs' sudo restorecon -v '/var/www/html/bugzilla/data/db/bugs' I also checked the auto relabel on reboot box inside the system-config-selinux gui, and did a reboot. But I was getting 500 internal server error and/or 403 forbidden. When I turned on httpd_unified boolean then it started to work in enforcing mode. Probably httpd_sys_rw_content_t is also needed for /var/www/html/bugzilla/data directory. You can test it using # chcon -R -t httpd_sys_rw_content_t /var/www/html/bugzilla/data Yes, it can be allowed by the boolean. |
Description of problem: SELinux is preventing /usr/bin/perl from 'write' accesses on the file /var/www/html/bugzilla/data/db/bugs. ***** Plugin httpd_write_content (92.2 confidence) suggests **************** If you want to allow perl to have write access on the bugs file Then you need to change the label on '/var/www/html/bugzilla/data/db/bugs' Do # semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/bugzilla/data/db/bugs' # restorecon -v '/var/www/html/bugzilla/data/db/bugs' ***** Plugin catchall_boolean (7.83 confidence) suggests ******************* If you want to unify HTTPD handling of all content files. Then you must tell SELinux about this by enabling the 'httpd_unified' boolean. You can read 'httpd_selinux' man page for more details. Do setsebool -P httpd_unified 1 ***** Plugin catchall (1.41 confidence) suggests *************************** If you believe that perl should be allowed write access on the bugs file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep buglist.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_sys_content_t:s0 Target Objects /var/www/html/bugzilla/data/db/bugs [ file ] Source buglist.cgi Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.16.3-244.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-96.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-05-22 21:14:06 PDT Last Seen 2013-05-22 21:14:06 PDT Local ID 0a97bcb3-933e-431b-b7bc-67e6da616c38 Raw Audit Messages type=AVC msg=audit(1369282446.442:379): avc: denied { write } for pid=2267 comm="buglist.cgi" name="bugs" dev="sda2" ino=1575915 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1369282446.442:379): arch=x86_64 syscall=open success=yes exit=ESRCH a0=445c040 a1=80042 a2=1a4 a3=7fff420d71d0 items=0 ppid=2164 pid=2267 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=buglist.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_t:s0 key=(null) Hash: buglist.cgi,httpd_t,httpd_sys_content_t,file,write audit2allow #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:file write; audit2allow -R require { type httpd_t; } #============= httpd_t ============== apache_manage_sys_content(httpd_t) Additional info: hashmarkername: setroubleshoot kernel: 3.9.2-200.fc18.x86_64 type: libreport