[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux preventing Bugzilla on FC5



Paul Howarth wrote:
On Thu, 2006-05-11 at 18:21 -0500, James Garrison wrote:
The continuing saga....

May 11 18:11:05 bugzilla kernel: audit(1147389065.041:16): avc: denied { read } for pid=19398 comm="index.cgi" name="resolv.conf" dev=md1 ino=1106152 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file May 11 18:11:05 bugzilla kernel: audit(1147389065.045:17): avc: denied { create } for pid=19398 comm="index.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket May 11 18:11:05 bugzilla kernel: audit(1147389065.045:18): avc: denied { create } for pid=19398 comm="index.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket May 11 18:11:05 bugzilla kernel: audit(1147389065.045:19): avc: denied { shutdown } for pid=19398 comm="index.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
It seems like I'm just going to have to keep trying and adding new
allow rules, 2 or 3 at a time, until I've hit everything not allowed
by selinux.  Surely I'm not the first person to try to get Bugzilla
running on FC5?

Is there a better way to do this than trial and error?


The latest policy will allow semodule to read users home directories also. Since this bug seems to be coming up often.
Please send me you final policy files when you have it working.

You could put SELinux in permissive mode:

# setenforce 0

then run bugzilla and get all of the SELinux denials logged, so you can
deal with them all in one go. Then turn enforcing mode back on:

# setenforce 1

You might also consider looking at the bugzilla package currently making
its way through the Fedora Extras review process:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359

This probably doesn't include any SELinux support (at least not yet),
but might be better to use from a maintainability standpoint.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

The latest policy will allow semodule to read users home directories also.  Since this bug seems to be coming up often.

Please send me you final policy files


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]