Bugzilla's AVC: denied

[Daniel J Walsh]

Pedro Silva wrote:
> I'm using Bugzilla from the Fedora repository in a F7 system.
> These are the AVC: denied I got so far.
>
> type=AVC msg=audit(1182965584.648:92): avc:  denied  { read } for  
> pid=3437 comm
> ="index.cgi" name="resolv.conf" dev=dm-0 ino=1211246 
> scontext=root:system_r:http
> d_bugzilla_script_t:s0 tcontext=system_u:object_r:net_conf_t:s0 
> tclass=file
>
Any idea why bugzilla is reading resolv.conf?  Is it trying to 
translates a UID?
> type=AVC msg=audit(1182965584.648:93): avc:  denied  { create } for  
> pid=3437 co
> mm="index.cgi" scontext=root:system_r:httpd_bugzilla_script_t:s0 
> tcontext=root:s
> ystem_r:httpd_bugzilla_script_t:s0 tclass=udp_socket
Why is it trying to create a udp socket?
>
> type=AVC msg=audit(1183036604.813:648): avc:  denied  { read write } 
> for  pid=16
> 313 comm="sendmail" name="[335348]" dev=sockfs ino=335348 
> scontext=root:system_r
> :system_mail_t:s0 tcontext=root:system_r:httpd_bugzilla_script_t:s0 
> tclass=unix_
> stream_socket
This looks potentially like a leaked file descriptor?  Or is sendmail 
reading and writing to a  unix_stream_socket created by the bugzilla cgi?

Could you run this in permissive mode to gather all of the avc messages.
>
> This last one is the only one that keeps happening after the initial 
> configuration.
>
> Bugzilla seems to work just fine; no mail notification seems to be lost.
>
> The mailer in this system is Postfix.
>
> I think Bugzilla is trying to create a file in /var/lib/bugzilla/data 
> without success.
>
> -- 
>
> CERTISIGN <http://www.certisign.com.br/>**Pedro Silva**
> Especialista de Desenvolvimento
> (21) 4501 1026
>
> Certisign Certificadora Digital
> certisign.com.br <http://www.certisign.com.br/>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list