Bug 564450

Summary: SELinux is preventing /usr/bin/perl from using potentially mislabeled files /usr/share/bugzilla/graphs.
Product: [Fedora] Fedora Reporter: John Griffiths <fedora.jrg01>
Component: bugzillaAssignee: Emmanuel Seyman <emmanuel>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, emmanuel, itamar, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:9eb44421569ec50d777b5b7025d88091026862f1d53ef27638904a49a25183e9
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-01 12:28:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Griffiths 2010-02-12 19:29:49 UTC 
Summary:

SELinux is preventing /usr/bin/perl from using potentially mislabeled files
/usr/share/bugzilla/graphs.

Detailed Description:

SELinux has denied the reports.cgi access to potentially mislabeled files
/usr/share/bugzilla/graphs. This means that SELinux will not allow httpd to use
these files. If httpd should be allowed this access to these files you should
change the file context to one of the following types,
httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, tmp_t,
httpd_bugzilla_tmp_t. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.

Allowing Access:

If you want to change the file context of /usr/share/bugzilla/graphs so that the
httpd daemon can access it, you need to execute it using semanage fcontext -a -t
FILE_TYPE '/usr/share/bugzilla/graphs'.
where FILE_TYPE is one of the following: httpd_bugzilla_content_ra_t,
httpd_bugzilla_content_rw_t, tmp_t, httpd_bugzilla_tmp_t. You can look at the
httpd_selinux man page for additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_bugzilla_script_t:Syst
                              emLow
Target Context                unconfined_u:object_r:httpd_bugzilla_content_t:Sys
                              temLow
Target Objects                /usr/share/bugzilla/graphs [ dir ]
Source                        reports.cgi
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.10.0-87.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-84.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18
                              20:06:44 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Fri 12 Feb 2010 09:10:14 AM EST
Last Seen                     Fri 12 Feb 2010 09:10:14 AM EST
Local ID                      bce33fae-d62f-42e5-b75d-b7c9997dadba
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1265983814.505:126280): avc:  denied  { write } for  pid=23086 comm="reports.cgi" name="graphs" dev=dm-1 ino=1055651 scontext=unconfined_u:system_r:httpd_bugzilla_script_t:s0 tcontext=unconfined_u:object_r:httpd_bugzilla_content_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1265983814.505:126280): arch=40000003 syscall=5 success=no exit=-13 a0=a7cca0c a1=8241 a2=1b6 a3=0 items=0 ppid=2427 pid=23086 auid=0 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=13238 comm="reports.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_bugzilla_script_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-84.fc12,httpd_bad_labels,reports.cgi,httpd_bugzilla_script_t,httpd_bugzilla_content_t,dir,write
audit2allow suggests:

#============= httpd_bugzilla_script_t ==============
#!!!! The source type 'httpd_bugzilla_script_t' can write to a 'dir' of the following types:
# httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, tmp_t, httpd_bugzilla_tmp_t

allow httpd_bugzilla_script_t httpd_bugzilla_content_t:dir write;
Comment 1 Daniel Walsh 2010-02-13 12:54:23 UTC 
This looks like local customization.

If bugzilla needs to write to this directory it should be under /var/lib/bugzilla.

Or you can change the labeling of the /usr/share/bugzilla/graphs director

semanage fcontext -a -e /var/lib/bugzilla /usr/share/bugzilla/graphs

reopen this if it in not a local customization.
Comment 2 John Griffiths 2010-02-13 21:24:53 UTC 
This was a straight installation from Fedora repository.
Comment 3 Daniel Walsh 2010-02-14 14:25:20 UTC 
WHat package owns /usr/share/bugzilla/graphs



rpm -qf /usr/share/bugzilla/graphs
Comment 4 John Griffiths 2010-02-15 01:16:49 UTC 
It shows up as not owned by any package, but so do a lot of other files and directories. I think they are created when bugzilla is installed or when ./checksetup.pl is run.

I checked two different bugzilla installations on Fedora 12 servers. Neither server had any customization done by hand. Here is a list of files not owned by any package that are in the /usr/share/bugzilla directory.

file /usr/share/bugzilla/graphs is not owned by any package
file /usr/share/bugzilla/contrib/.htaccess is not owned by any package
file /usr/share/bugzilla/.htaccess is not owned by any package
file /usr/share/bugzilla/template/.htaccess is not owned by any package
file /usr/share/bugzilla/lib is not owned by any package
file /usr/share/bugzilla/lib/.htaccess is not owned by any package
file /usr/share/bugzilla/docs is not owned by any package
file /usr/share/bugzilla/extensions is not owned by any package
file /usr/share/bugzilla/Bugzilla/.htaccess is not owned by any package
file /usr/share/bugzilla/t/.htaccess is not owned by any package
file /usr/share/bugzilla/skins/custom is not owned by any package
file /usr/share/bugzilla/skins/custom/panel.css is not owned by any package
file /usr/share/bugzilla/skins/custom/global.css is not owned by any package
file /usr/share/bugzilla/skins/custom/voting.css is not owned by any package
file /usr/share/bugzilla/skins/custom/params.css is not owned by any package
file /usr/share/bugzilla/skins/custom/admin.css is not owned by any package
file /usr/share/bugzilla/skins/custom/summarize-time.css is not owned by any package
file /usr/share/bugzilla/skins/custom/dependency-tree.css is not owned by any package
file /usr/share/bugzilla/skins/custom/yui is not owned by any package
file /usr/share/bugzilla/skins/custom/yui/calendar.css is not owned by any package
file /usr/share/bugzilla/skins/custom/create_attachment.css is not owned by any package
file /usr/share/bugzilla/skins/custom/duplicates.css is not owned by any package
file /usr/share/bugzilla/skins/custom/editusers.css is not owned by any package
file /usr/share/bugzilla/skins/custom/show_bug.css is not owned by any package
file /usr/share/bugzilla/skins/custom/release-notes.css is not owned by any package
file /usr/share/bugzilla/skins/custom/index.css is not owned by any package
file /usr/share/bugzilla/skins/custom/show_multiple.css is not owned by any package
file /usr/share/bugzilla/skins/custom/IE-fixes.css is not owned by any package
file /usr/share/bugzilla/skins/custom/buglist.css is not owned by any package
file /usr/share/bugzilla/skins/custom/help.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/panel.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/voting.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/params.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/admin.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/summarize-time.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/dependency-tree.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/yui is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/yui/calendar.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/create_attachment.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/duplicates.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/editusers.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/show_bug.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/release-notes.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/show_multiple.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/IE-fixes.css is not owned by any package
file /usr/share/bugzilla/skins/contrib/Dusk/help.css is not owned by any package
Comment 5 Daniel Walsh 2010-02-16 14:05:53 UTC 
I guess the question then, is what is the cgi script trying to write in that directory.

Does it create the .htaccess file?
Comment 6 John Griffiths 2010-02-17 22:47:50 UTC 
The .htaccess file was created but whether is was created by the cgi script, I do not know.

The only thing I ever see being put into /usr/share/bugzilla/graphs are png files when the "Old Charts" is selected and run from the Bugzilla reports page. 

I did a chcon -t httpd_bugzilla_content_rw_t /usr/share/bugzilla/graphs and no longer get the sealert, but that is obviously a work around.
Comment 7 Emmanuel Seyman 2010-04-01 08:42:30 UTC 
Taking this one.
I've submitted a fix upstream. If this is accepted, I'll release a fix on Fedora.
Comment 8 Emmanuel Seyman 2010-06-01 12:28:42 UTC 
http://koji.fedoraproject.org/koji/taskinfo?taskID=2221992

Coming soon to a rawhide mirror near you.