selinux preventing Bugzilla on FC5

[Paul Howarth]

On Thu, 2006-05-11 at 17:41 -0500, James Garrison wrote:
> Objective:   Run bugzilla on FC5
> Problem:     selinux is getting in the way
> 
> First I had to change the file context for all of Bugzilla
> to httpd_sys_content_t, and the .cgi components to
> httpd_sys_script_exec_t.  Next, I get the following when
> Bugzilla tries to open a tcp socket to talk to the database:
> 
> > May 11 16:26:34 bugzilla kernel: audit(1147382794.700:3): avc:  
> > denied  { create } for  pid=18527 comm="index.cgi" 
> > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
> 
> No problem, according to the FAQ, just make a local module with audit2allow
> and install it with semodule.  Here's what actually happens:
> 
> > [jhg at bugzilla ~]$ audit2allow -M local < avc.dat
> > Generating type enforcment file: local.te
> > Compiling policy
> > checkmodule -M -m -o local.mod local.te
> > semodule_package -o local.pp -m local.mod
> >
> > ******************** IMPORTANT ***********************
> >
> > In order to load this newly created policy package into the kernel,
> > you are required to execute
> >
> > semodule -i local.pp
> >
> >
> > [jhg at bugzilla ~]$ sudo semodule -i local.pp
> > semodule:  Could not read file 'local.pp':
> > [jhg at bugzilla ~]$ ls local*
> > local.mod  local.pp  local.te
> > [jhg at bugzilla ~]$
> 
> The problem is that semodule is not being allowed to read local.pp
> by selinux itself:
> 
> > May 11 17:36:53 bugzilla kernel: audit(1147387013.477:14): avc:  
> > denied  { search } for  pid=19191 comm="semodule" name="root" dev=md1 
> > ino=942849 scontext=user_u:system_r:semanage_t:s0 
> > tcontext=root:object_r:user_home_dir_t:s0 tclass=dir

Try this:

Move the files you've used for this process (the .te/.pp files etc.) to
a new, empty directory (I used /root/selinux.local) and change to that
directory. Then do:

# chcon -Rh -t usr_t .

Then try the semanage command again.

Paul.