Bug 144991

Summary: ispec doesn't work with selinux
Product: [Retired] Red Hat Ready Certification Tests Reporter: Richard Li <richardl>
Component: ispecAssignee: Will Woods <wwoods>
Status: CLOSED ERRATA QA Contact: Richard Li <richardl>
Severity: medium Docs Contact:
Priority: medium    
Version: beta   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-01 15:19:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 143442    
Attachments:
Description Flags
ispec-iso-mount
none
ispec-nfs-mount none

Description Richard Li 2005-01-13 15:03:19 UTC 
get ispec working with selinux.

http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizing.html#sn-httpd-booleans

documents what needs to be done i think.
Comment 1 Will Woods 2005-01-13 18:12:10 UTC 
SELinux failure symptoms:
1) 'trees' list doesn't get populated in iSpec
2) An 'avc: denied' message appears in /var/log/messages:

Jan 13 12:43:13 dhcp59-242 kernel: audit(1105638193.387:0): avc:  denied  {
search } for  pid=9625 exe=/usr/bin/perl name=mnt dev=sdb1 ino=392449
scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:mnt_t 
tclass=dir
(trees/RHEL4 was a softlink to an NFS-mounted RHEL tree under /mnt)

Note that iSpec appears to work fine if the RHEL tree is actually copied to the
local disk. It appears that httpd is not allowed to mess around in /mnt or read
from nfs or iso9660 filesystems (e.g. NFS-mounted filesystems or loopback
mounted iso images under trees/).
Comment 2 Will Woods 2005-01-19 17:28:27 UTC 
Workaround:

Mount ISO images or NFS filesystems in directories under
/var/www/html/ispec/trees using the mount option
'context=system_u:object_r:httpd_sys_content_t'. This will allow httpd to read
from the filesystem.

We should add a script to mount a set of ISOs (or an NFS export) with the proper
flags.
Comment 3 Richard Li 2005-01-21 18:45:05 UTC 
scripts added
Comment 4 Will Woods 2005-01-26 21:43:38 UTC 
Created attachment 110274 [details]
ispec-iso-mount
Comment 5 Will Woods 2005-01-26 21:44:22 UTC 
Created attachment 110275 [details]
ispec-nfs-mount
Comment 6 Will Woods 2005-01-26 21:45:09 UTC 
Comment on attachment 110274 [details]
ispec-iso-mount

Script for mounting ISO images so they can be used by iSpec.
Comment 7 David Lawrence 2005-02-01 15:19:54 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-051.html