Bug 1154728

Summary: [TestOnly][rhel7] graphite-web needs type "httpd_sys_rw_content_t" for files in "/var/lib/graphite-web(/.*)?"
Product: [Fedora] Fedora EPEL Reporter: Martin Žember <mzember>
Component: graphite-webAssignee: Piotr Popieluch <piotr1212>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: epel7CC: ebenes, jamielinux, jonathansteffan, mgrepl, mmalik, mzember, piotr1212
Target Milestone: ---Keywords: SELinux, TestOnly
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1148766 Environment:
Last Closed: 2015-03-24 20:08:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1148766    
Bug Blocks:    
Attachments:
Description Flags
selinux policy RPM
none
selinux policy targeted RPM none

Description Martin Žember 2014-10-20 15:43:45 UTC 
This bug is a TestOnly bug for graphite-web component to cover functionality testing requirements introduced by changes in selinux-policy component related to bug #1148766. It is intended for QE purposes only. If you are a developer/maintainer be aware that this bug does not require any code changes/actions on your side. Your suggestions are more than welcome. Please DO NOT CLOSE this bug.

Problem Description:
The scenario described in bug #1148766 should be supported in selinux-policy-3.13.1-3.el7. If you encounter any problems during graphite-web testing with this or newer SELinux policy please write your findings here.

SELinux How to Test instructions are available at:
 * https://wiki.test.redhat.com/BaseOs/Security/SelinuxTestOnlyBugs#SELinuxHowToTestInstructions.

More details about the SelinuxTestOnly process are available at:
 * https://wiki.test.redhat.com/BaseOs/Security/SelinuxTestOnlyBugs

If you have any questions about testing/verification in SELinux enabled environment please contact SELinux QE persons:
 * mzember / mzember at #qa, #brno 
 * mmalik / mmalik at #qa, #brno
Comment 1 Caolan McNamara 2014-10-21 09:25:40 UTC 
This is graphite-web in EPEL not graphite2 in RHEL
Comment 2 Martin Žember 2015-01-16 02:20:16 UTC 
As this has moved to Fedora, may I kindly ask that someone (not necessarily QA) would test grephite-web with the new selinux-policy? Jonathan, do you have any suggestion?
Comment 3 Jamie Nguyen 2015-01-16 17:47:18 UTC 
Where can you find selinux-policy-3.13.1-3.el7 package to install and test? It appears latest in the repositories is still 3.12.x.
Comment 4 Martin Žember 2015-01-19 21:24:19 UTC 
Created attachment 981634 [details]
selinux policy RPM
Comment 5 Martin Žember 2015-01-19 21:25:30 UTC 
Created attachment 981637 [details]
selinux policy targeted RPM
Comment 6 Martin Žember 2015-01-19 21:31:39 UTC 
Jamie, you are right, this is not clear, especially if you do not have access to brewweb.devel.redhat.com from the outside. I am attaching the packages. (I believe there is a better way to do this but I do not know it yet.)

selinux-policy-3.13.1-16.el7 is definitely different than the *.fc* package for Fedora.
Comment 7 Martin Žember 2015-01-21 15:38:59 UTC 
BTW they are also here:
http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/
http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 8 Martin Žember 2015-02-16 12:25:51 UTC 
After the move of this bug from RHEL to Fedora, it was not open for public. Opening now. There are people who are interested in testing this.

The testing is not necessary in order to ship the graphite-web-related parts in the selinux-policy package, but you may download it and do some testing if interested.
Comment 9 Piotr Popieluch 2015-03-20 20:41:05 UTC 
Tested this. graphite-web-0.9.12-8.el7.noarch works fine with selinux-policy-3.13.1-23.el7.noarch with selinux Enforcing.

files in /var/lib/graphite-web/ have correct, httpd_sys_rw_content_t context.
Comment 10 Martin Žember 2015-03-24 20:08:57 UTC 
Thank you, Piotr! Good to know that it works. I could not do it by myself.