selinux preventing Bugzilla on FC5
Paul Howarth
paul at city-fan.org
Thu May 11 22:54:20 UTC 2006
On Thu, 2006-05-11 at 17:41 -0500, James Garrison wrote:
> Objective: Run bugzilla on FC5
> Problem: selinux is getting in the way
>
> First I had to change the file context for all of Bugzilla
> to httpd_sys_content_t, and the .cgi components to
> httpd_sys_script_exec_t. Next, I get the following when
> Bugzilla tries to open a tcp socket to talk to the database:
>
> > May 11 16:26:34 bugzilla kernel: audit(1147382794.700:3): avc:
> > denied { create } for pid=18527 comm="index.cgi"
> > scontext=user_u:system_r:httpd_sys_script_t:s0
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
>
> No problem, according to the FAQ, just make a local module with audit2allow
> and install it with semodule. Here's what actually happens:
>
> > [jhg at bugzilla ~]$ audit2allow -M local < avc.dat
> > Generating type enforcment file: local.te
> > Compiling policy
> > checkmodule -M -m -o local.mod local.te
> > semodule_package -o local.pp -m local.mod
> >
> > ******************** IMPORTANT ***********************
> >
> > In order to load this newly created policy package into the kernel,
> > you are required to execute
> >
> > semodule -i local.pp
> >
> >
> > [jhg at bugzilla ~]$ sudo semodule -i local.pp
> > semodule: Could not read file 'local.pp':
> > [jhg at bugzilla ~]$ ls local*
> > local.mod local.pp local.te
> > [jhg at bugzilla ~]$
>
> The problem is that semodule is not being allowed to read local.pp
> by selinux itself:
>
> > May 11 17:36:53 bugzilla kernel: audit(1147387013.477:14): avc:
> > denied { search } for pid=19191 comm="semodule" name="root" dev=md1
> > ino=942849 scontext=user_u:system_r:semanage_t:s0
> > tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
Try this:
Move the files you've used for this process (the .te/.pp files etc.) to
a new, empty directory (I used /root/selinux.local) and change to that
directory. Then do:
# chcon -Rh -t usr_t .
Then try the semanage command again.
Paul.
More information about the fedora-selinux-list
mailing list