Adjusting FC4 targetted policy to fix avc errors on bugzilla cgi scripts?
Graham King
selinux at tremagi.org.uk
Fri Jan 13 12:54:47 UTC 2006
Please can you help with my first, naive, attempt to fix an selinux
problem?
Following a recent yum update of a Fedora Core 4 machine, bugzilla no
longer works.
audit.log contained:
avc: denied { execute_no_trans } for pid=811 comm="httpd"
name="index.cgi" dev=dm-3 ino=227397 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
sestatus outputs:
...
httpd_enable_cgi active
...
But ls -Z /var/www/html/bugzilla-2.18.3/index.cgi showed that file to be
of type httpd_sys_content_t, so I inferred that it needed to be changed
to httpd_sys_script_exec_t.
In order for the change to persist across relabelling events, I first
tried to alter the policy by adding the following line
to /etc/linux/targetted/src/policy/file_contexts/file_contexts:
/var/www/html/bugzilla-[^/]*/[^/]*\.cgi --
system_u:object_r:httpd_sys_script_exec_t
and then ran:
cd /etc/linux/targetted/src/policy
make reload
make relabel
( first with setenforce 1, then with setenforce 0 )
The ls -Z output was unchanged, so I then ran:
chcon -t httpd_sys_script_exec_t /var/www/html/bugzilla-2.18.3/index.cgi
audit.log is however still showing the same error (adjusted for the new
tcontext type).
What am I doing wrong?
kind regards
-- Graham King
More information about the selinux
mailing list