AVC denial with bugzilla from epel

[Paul Howarth]

Rahul Sundaram wrote:
> Tony Molloy wrote:
>> Hi,
>>
>> I'm installing bugzilla from epel-5 onto a Centos-5 Server. I'm 
>> getting the following AVC denied message:
>>
>> Summary
>>     SELinux prevented httpd reading and writing access to http files.
>>
>> Detailed Description
>>     SELinux prevented httpd reading and writing access to http files. 
>> Ordinarily
>>     httpd is allowed full access to all files labeled with http file 
>> context.
>>     This machine has a tightened security policy with the 
>> httpd_unified turned
>>     off,  This requires explicit labeling of all files.  If a file is 
>> a cgi
>>     script it needs to be labeled with httpd_TYPE_script_exec_t in 
>> order to be
>>     executed.  If it is read only content, it needs to be labeled
>>     httpd_TYPE_content_t, it is writable content. it needs to be labeled
>>     httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the 
>> chcon
>>     command to change these context.  Please refer to the man page "man
>>     httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 
>> "TYPE"
>>     refers toi one of "sys", "user" or "staff" or potentially other 
>> script
>>     types.
>>
>> Allowing Access
>>     Changing the "httpd_unified" boolean to true will allow this access:
>>     "setsebool -P httpd_unified=1"
>>
>>     The following command will allow this access:
>>     setsebool -P httpd_unified=1
>>
>> Additional Information       
>> Source Context                root:system_r:httpd_bugzilla_script_t
>> Target Context                root:object_r:httpd_tmp_t
>> Target Objects                /tmp/.NSPR-AFM-6806-97520c8.0 (deleted) 
>> [ file ]
>> Affected RPM Packages         Policy RPM                    
>> selinux-policy-2.4.6-106.el5_1.3
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   plugins.httpd_unified
>> Host Name                     richmond.csis.ul.ie
>> Platform                      Linux richmond.csis.ul.ie 
>> 2.6.18-53.1.4.el5 #1 SMP
>>                               Fri Nov 30 00:45:16 EST 2007 i686 i686
>> Alert Count                   21
>> Line Numbers                 
>>
>> Raw Audit Messages           
>> avc: denied { read, write } for comm="index.cgi" dev=sda6 egid=48 euid=48
>> exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 
>> path=2F746D702F2E4E5
>> 350522D41464D2D363830362D393735323063382E30202864656C6574656429 pid=12090
>> scontext=root:system_r:httpd_bugzilla_script_t:s0 sgid=48
>> subj=root:system_r:httpd_bugzilla_script_t:s0 suid=48 tclass=file
>> tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
>>
>> This seems to a denial to r/w a file in /tmp
>>
>> I can generate a local policy to allow this access with audit2allow 
>> but what is the correct way to handle this.
> 
> The answer was within the report itself
> 
> #  setsebool -P httpd_unified=1

What's probably needed is for the bugzilla policy to have:

allow httpd_bugzilla_script_t httpd_tmp_t:dir manage_dir_perms;
allow httpd_bugzilla_script_t httpd_tmp_t:file manage_file_perms;
files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_script_rw_t,{ 
dir file lnk_file sock_file fifo_file })

This is in line with existing policy for httpd_sys_script_t I believe 
(and what I'm using in the fastcgi policy in mod_fcgid-selinux). It 
should be possible to use bugzilla without having httpd_unified set.

Paul.