Bug 566513
Summary: | mailgraph-selinux does not work fine | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Stefano Biagiotti <stefano.biagiotti> |
Component: | mailgraph | Assignee: | Bernard Johnson <bjohnson> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | el5 | CC: | bjohnson, mfleming+rpm, rh_bugzilla, tremble |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | mailgraph-1.14-8.fc14 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-10-17 04:51:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stefano Biagiotti
2010-02-18 17:09:01 UTC
Actually you filed this against the correct package, mailgraph-selinux is a sub-package of mailgraph. What's happened is that mailgraph.rrd hasn't picked up the context it's supposed to have. This is because fixfiles -R only acts upon the files that are owned by the rpm and the rrd file is being generated before the selinux module is installed. What I can't spot is what's generating the rrd files... The quick hack fix to get you up and running is simply : restorecon -RvF /var/lib/mailgraph This is possibly also the best bet as a fix in the post script too. Mark mailgraph-1.14-8.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5 mailgraph-1.14-8.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc14 mailgraph-1.14-8.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc13 mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update mailgraph'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5 mailgraph-1.14-8.el5 and mailgraph-selinux-1.14-8.el5 from epel-testing work for me. Thank you. mailgraph-1.14-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. mailgraph-1.14-8.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. I just installed CentOS 6 x86_64 with mailgraph from EPEL: $ rpm -qa | grep mailgraph mailgraph-selinux-1.14-8.el6.noarch mailgraph-1.14-8.el6.noarch $ cat /etc/centos-release CentOS Linux release 6.0 (Final) $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted And with SELinux enabled browsing to http://host/mailgraph gives a 500 Internal Server Error but when I set SElinux to permissive it works fine. The error in /var/log/httpd/error_log: [Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] (13)Permission denied: exec of '/usr/share/mailgraph/mailgraph.cgi' failed [Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] Premature end of script headers: mailgraph.cgi The error in /var/log/audit/audit.log type=AVC msg=audit(1313625461.090:635): avc: denied { execute } for pid=3696 comm="httpd" name="mailgraph.cgi" dev=sda2 ino=43519719 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1313625461.090:635): arch=c000003e syscall=59 success=no exit=-13 a0=7f994b14b130 a1=7f994b150ee8 a2=7f994b150f00 a3=7fffa58254a0 items=0 ppid=2970 pid=3696 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Also tried the restorecon trick mentioned above but did not seem to do anything. $ sudo restorecon -RvF /var/lib/mailgraph $ After the restorecon trick I still get the same error. I tried the changes from bz243302 and it still does not work. With these applies: $ sudo chcon -t httpd_sys_script_exec_t /usr/share/mailgraph/mailgraph.cgi $ sudo chcon -R -t httpd_sys_script_ra_t /var/cache/mailgraph $ sudo chcon -R -t httpd_sys_script_ra_t /var/lib/mailgraph And with SELinux in permissive mode: $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted I see this error in /var/log/audit/audit.log type=AVC msg=audit(1313627079.285:995): avc: denied { setattr } for pid=4748 comm="mailgraph.cgi" name="fontconfig" dev=sda2 ino=96731533 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1313627079.285:995): arch=c000003e syscall=90 success=no exit=-1 a0=e11140 a1=1ed a2=d a3=7ffff491fbe0 items=0 ppid=2976 pid=4748 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="mailgraph.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) At least the chcon changes seem to have solved the errors in comment #10. Please let me know if you need more information or would like me to test a new policy. |