selinux preventing Bugzilla on FC5

[Paul Howarth]

On Thu, 2006-05-11 at 18:21 -0500, James Garrison wrote:
> The continuing saga....
> 
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.041:16): avc:  
> > denied  { read } for  pid=19398 comm="index.cgi" name="resolv.conf" 
> > dev=md1 ino=1106152 scontext=user_u:system_r:httpd_sys_script_t:s0 
> > tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:17): avc:  
> > denied  { create } for  pid=19398 comm="index.cgi" 
> > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:18): avc:  
> > denied  { create } for  pid=19398 comm="index.cgi" 
> > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:19): avc:  
> > denied  { shutdown } for  pid=19398 comm="index.cgi" 
> > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
> 
> It seems like I'm just going to have to keep trying and adding new
> allow rules, 2 or 3 at a time, until I've hit everything not allowed
> by selinux.  Surely I'm not the first person to try to get Bugzilla
> running on FC5?
> 
> Is there a better way to do this than trial and error?

You could put SELinux in permissive mode:

# setenforce 0

then run bugzilla and get all of the SELinux denials logged, so you can
deal with them all in one go. Then turn enforcing mode back on:

# setenforce 1

You might also consider looking at the bugzilla package currently making
its way through the Fedora Extras review process:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359

This probably doesn't include any SELinux support (at least not yet),
but might be better to use from a maintainability standpoint.

Paul.