Description of problem: I installed bugzilla on my system and configured it. After restarting mysqld and httpd and logging into my by bugzilla I started getting these selinux alerts regarding perl accessing the cpu directory. SELinux is preventing /usr/bin/perl from 'read' accesses on the directory cpu. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed read access on the cpu directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_bugzilla_script_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects cpu [ dir ] Source index.cgi Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.16.3-265.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-65.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.9-302.fc19.x86_64 #1 SMP Sat Jul 6 13:41:07 UTC 2013 x86_64 x86_64 Alert Count 11 First Seen 2013-07-24 17:57:04 PDT Last Seen 2013-07-24 18:06:34 PDT Local ID 2cc3a8f6-0518-4d19-adb0-bb3b0c4f434a Raw Audit Messages type=AVC msg=audit(1374714394.623:7331): avc: denied { read } for pid=24770 comm="buglist.cgi" name="cpu" dev="sysfs" ino=37 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=SYSCALL msg=audit(1374714394.623:7331): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=369837bb18 a2=90800 a3=0 items=0 ppid=22768 pid=24770 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=buglist.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null) Hash: index.cgi,httpd_bugzilla_script_t,sysfs_t,dir,read Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.9-302.fc19.x86_64 type: libreport
Added. a15ba25d440094e06aaedb607db32bd2f5a2ee38
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Could someone please update this bug to explain what the solution was? Telling me it's been fixed isn't very helpful.
Basically bugzilla is now allowed to list the contents of /sys You should no longer see this AVC
Package selinux-policy-3.12.1-69.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
commit a15ba25d440094e06aaedb607db32bd2f5a2ee38 Author: Miroslav Grepl <mgrepl> Date: Thu Jul 25 14:44:59 2013 +0200 Allow buglist.cgi to read cpu info
I installed the update today and have not seen any selinux alerts.