Using Bugzilla with SELinux

[wicked at etlicon.fi]

David Miller wrote:
> SELinux seems to be growing in popularity...  and because of the
> security it provides, there's a growing number of people that really
> want to leave it enabled.  However, it sometimes interferes with the
> operation of Bugzilla with the default SELinux setups (access to
> sendmail, loading perl modules, writing to the data directory?).  I
> would love it if some enterprising person could research what exactly
> needs to be done to make Bugzilla work with SELinux the correct way
> (i.e. what contexts or object types need to be declared for what
> portions of Bugzilla's directory structure to give Bugzilla the minimum
> access it needs to do its job without hitting permission errors).

Yeah, I would have loved to set SELinux to Enforcing on my new Bugzilla 
system running CentOS 4 (RHEL 4). Unfortunately this means checksetup.pl 
won't work (no output) but otherwise Bugzilla seems to work.

My Bugzilla instances are under /var/www/html directory. I use targeted 
policy (there's no strict policy available). I didn't touch any SELinux 
contexts so they are all set to defaults. However, I did try to change 
httpd booleans. Especially I enabled httpd_tty_comm but that didn't 
help. Otherwise booleans are set to:

httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   inactive
httpd_ssi_exec          inactive
httpd_tty_comm          active
httpd_unified           active

I didn't try but this problem would probably go away if I set 
checksetup.pl to the unconfined context. I didn't because 1) I don't 
know how and 2) I don't know how to make it permanent. SELinux 
configuration looks scary. So for now, I just set SELinux to Permissive 
when I need to run checksetup.pl :)

For reference, when I run checksetup.pl I get following audit log entries:

Sep 16 14:55:13 prodserv kernel: audit(1126871713.581:0): avc:  denied 
{ read write } for  pid=27540 comm=checksetup.pl name=1 dev=devpts ino=3 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:object_r:devpts_t tclass=chr_file
Sep 16 14:55:13 prodserv kernel: audit(1126871713.585:0): avc:  denied 
{ ioctl } for  pid=27540 comm=checksetup.pl path=/dev/pts/1 dev=devpts 
ino=3 scontext=root:system_r:httpd_sys_script_t 
tcontext=root:object_r:devpts_t tclass=chr_file
Sep 16 14:55:13 prodserv kernel: audit(1126871713.585:0): avc:  denied 
{ dac_override } for  pid=27540 comm=checksetup.pl capability=1 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 16 14:55:14 prodserv kernel: audit(1126871714.760:0): avc:  denied 
{ search } for  pid=27540 comm=checksetup.pl name=root dev=dm-0 
ino=98306 scontext=root:system_r:httpd_sys_script_t 
tcontext=root:object_r:user_home_dir_t tclass=dir
Sep 16 14:55:15 prodserv kernel: audit(1126871715.831:0): avc:  denied 
{ fowner } for  pid=27540 comm=checksetup.pl capability=3 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 16 14:55:15 prodserv kernel: audit(1126871715.831:0): avc:  denied 
{ fsetid } for  pid=27540 comm=checksetup.pl capability=4 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 16 14:55:30 prodserv kernel: audit(1126871730.557:0): avc:  denied 
{ chown } for  pid=27540 comm=checksetup.pl capability=0 
scontext=root:system_r:httpd_sys_script_t 
tcontext=root:system_r:httpd_sys_script_t tclass=capability
-- 
Teemu Mannermaa
System Specialist

"Anything is possible. It's all about probabilities."