Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1000736

Summary: munin zooming doesn't work with selinux
Product: Red Hat Enterprise Linux 6 Reporter: Peter Schiffer <pschiffe>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.6CC: drjohnson1, dwalsh, ingvar, mtruneck, pschiffe
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-30 09:46:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Peter Schiffer 2013-08-24 19:38:16 UTC 
Created attachment 789900 [details]
audit.log

Description of problem:
zooming doesn't work when selinux is in enforcing mode

Version-Release number of selected component (if applicable):
munin-2.0.17-1.el6.noarch
selinux-policy-3.7.19-195.el6_4.12.noarch
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch

Steps to Reproduce:
1. click on munin graph to zoom in

Actual results:
no graph image

Expected results:
graph image

Additional info:
it works with selinux in permissive mode
Comment 1 d. johnson 2013-08-24 21:22:34 UTC 
Can you run this and post the results?

ls -Z /var/log/munin/


It looks like the context is not setup properly.  Have you already tried restorecon?
Comment 2 Peter Schiffer 2013-08-25 10:05:49 UTC 
# ls -Z /var/log/munin/
-rw-r--r--. apache apache system_u:object_r:munin_log_t:s0 munin-cgi-graph.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-graph.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-html.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-limits.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-update.log

# restorecon -FRvv /var/log/munin/
#

I tried restorecon but it's still the same result. I also tried changing context of munin-cgi-graph.log file to httpd_log_t but that didn't help either.

This is error log from apache:

[Sun Aug 25 11:59:44 2013] [error] [client XXX] 2013/08/25 11:59:44 [FATAL] munin_readconfig_part(datafile) - missing file, referer: http://XXX/munin/static/dynazoom.html?cgiurl_graph=/munin-cgi/munin-cgi-graph&plugin_name=localhost/localhost/apache_processes&size_x=800&size_y=400&start_epoch=1377316503&stop_epoch=1377424503
[Sun Aug 25 11:59:44 2013] [error] [client XXX] Premature end of script headers: munin-cgi-graph, referer: http://XXX/munin/static/dynazoom.html?cgiurl_graph=/munin-cgi/munin-cgi-graph&plugin_name=localhost/localhost/apache_processes&size_x=800&size_y=400&start_epoch=1377316503&stop_epoch=1377424503
Comment 3 d. johnson 2013-08-26 20:48:45 UTC 
Changing to selinux-policy for a policy update.
Comment 5 Miroslav Grepl 2013-08-27 12:02:52 UTC 
Where is munin-cgi-graph located? And how it is labeled?

# ls -Z PATHTO/munin-cgi-graph
Comment 6 Peter Schiffer 2013-08-27 12:05:20 UTC 
# ls -Z /var/www/cgi-bin
-rwxr-xr-x. root munin system_u:object_r:httpd_sys_script_exec_t:s0 munin-cgi-graph
-rwxr-xr-x. root munin system_u:object_r:httpd_sys_script_exec_t:s0 munin-cgi-html
Comment 7 Miroslav Grepl 2013-08-27 12:27:59 UTC 
We need to back port changes from Fedora.

# chcon -t httpd_munin_script_exec_t /var/www/cgi-bin/munin-cgi*
Comment 8 Miroslav Grepl 2013-10-30 09:46:03 UTC 
More fixes have been added during RHEL6.5 cycle related to munin and this bug should be fixed. If no, please re-open the bug and it will be addressed in RHEL6.6.