Bug 1000736

Summary: munin zooming doesn't work with selinux
Product: Red Hat Enterprise Linux 6 Reporter: Peter Schiffer <pschiffe>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.6CC: drjohnson1, dwalsh, ingvar, mtruneck, pschiffe
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-30 09:46:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Peter Schiffer 2013-08-24 19:38:16 UTC 
Created attachment 789900 [details]
audit.log

Description of problem:
zooming doesn't work when selinux is in enforcing mode

Version-Release number of selected component (if applicable):
munin-2.0.17-1.el6.noarch
selinux-policy-3.7.19-195.el6_4.12.noarch
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch

Steps to Reproduce:
1. click on munin graph to zoom in

Actual results:
no graph image

Expected results:
graph image

Additional info:
it works with selinux in permissive mode
Comment 1 d. johnson 2013-08-24 21:22:34 UTC 
Can you run this and post the results?

ls -Z /var/log/munin/


It looks like the context is not setup properly.  Have you already tried restorecon?
Comment 2 Peter Schiffer 2013-08-25 10:05:49 UTC 
# ls -Z /var/log/munin/
-rw-r--r--. apache apache system_u:object_r:munin_log_t:s0 munin-cgi-graph.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-graph.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-html.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-limits.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-update.log

# restorecon -FRvv /var/log/munin/
#

I tried restorecon but it's still the same result. I also tried changing context of munin-cgi-graph.log file to httpd_log_t but that didn't help either.

This is error log from apache:

[Sun Aug 25 11:59:44 2013] [error] [client XXX] 2013/08/25 11:59:44 [FATAL] munin_readconfig_part(datafile) - missing file, referer: http://XXX/munin/static/dynazoom.html?cgiurl_graph=/munin-cgi/munin-cgi-graph&plugin_name=localhost/localhost/apache_processes&size_x=800&size_y=400&start_epoch=1377316503&stop_epoch=1377424503
[Sun Aug 25 11:59:44 2013] [error] [client XXX] Premature end of script headers: munin-cgi-graph, referer: http://XXX/munin/static/dynazoom.html?cgiurl_graph=/munin-cgi/munin-cgi-graph&plugin_name=localhost/localhost/apache_processes&size_x=800&size_y=400&start_epoch=1377316503&stop_epoch=1377424503
Comment 3 d. johnson 2013-08-26 20:48:45 UTC 
Changing to selinux-policy for a policy update.
Comment 5 Miroslav Grepl 2013-08-27 12:02:52 UTC 
Where is munin-cgi-graph located? And how it is labeled?

# ls -Z PATHTO/munin-cgi-graph
Comment 6 Peter Schiffer 2013-08-27 12:05:20 UTC 
# ls -Z /var/www/cgi-bin
-rwxr-xr-x. root munin system_u:object_r:httpd_sys_script_exec_t:s0 munin-cgi-graph
-rwxr-xr-x. root munin system_u:object_r:httpd_sys_script_exec_t:s0 munin-cgi-html
Comment 7 Miroslav Grepl 2013-08-27 12:27:59 UTC 
We need to back port changes from Fedora.

# chcon -t httpd_munin_script_exec_t /var/www/cgi-bin/munin-cgi*
Comment 8 Miroslav Grepl 2013-10-30 09:46:03 UTC 
More fixes have been added during RHEL6.5 cycle related to munin and this bug should be fixed. If no, please re-open the bug and it will be addressed in RHEL6.6.