Open Bug 394986 Opened 17 years ago Updated 13 years ago

checksetup.pl should fix the selinux contexts if selinux is enabled

Categories

(Bugzilla :: Installation & Upgrading, enhancement)

Product:
Bugzilla
Component:
Installation & Upgrading
Platform:
All
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: justdave, Unassigned)

References

Details

checksetup.pl already fixes file permissions as needed.  That's part of its job.  SELinux contexts aren't much different in this sense.  Many Linux distros are now shipping with SELinux enabled by default.  We should check if it's enabled in checksetup.pl and if so, fix the contexts on the Bugzilla-related files as well.  The names of the contexts are likely to very from one distro to the next, so probably making use of the --reference option would be the most useful.  On the other hand, the pathnames to anything useful to reference might be distro-dependent, too... hmm...
Severity: major → enhancement
Yeah, I don't think this is necessarily that feasible for checksetup. File permissions are a Unix standard, but SELinux contexts aren't.

I think that generally, SELinux contexts are the responsibility of the distro and the administrator.

What we *could* do is find some way to sort of "sudo" ourselves into the webservergroup and try to access the files we have to access, and see if it works, and report an error and possible suggestions if it doesn't work.
There's also nothing preventing us from doing distro-specific fixes if we can detect which distro they're running.  Most of the distros do standard things within that distro for SELinux.

For example, on Red Hat based stuff (RHEL, CentOS, Fedora), the web directory is in /var/www/html (for use with --reference), and they all use the same context names.  There's also a utility called audit2allow that will convert the avc error messages from your log file into an selinux policy file.  We could experiment with that, and ship a policy file with Bugzilla for use on Red Hat based systems to pick up any additional perms Bugzilla needs that aren't covered by fixing the file contexts.

I'm sure we could probably get someone to contibute similar information for other distros and detect them and do the right things.
You need to log in before you can comment on or make changes to this bug.