Bug 639511

Summary: Smokeping not working on Fedora 13
Product: [Fedora] Fedora Reporter: fedbugs
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 13CC: domg444, dominick.grift, dwalsh, mgrepl, terje.rosten
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-65.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-19 07:06:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description fedbugs 2010-10-02 00:46:53 UTC 
Description of problem:

Smokeping is not displaying the target graphs when SELinux is in "Enforcing" mode. There is no problem when SELinux is set to "Permissive".

Version-Release number of selected component (if applicable):

smokeping-2.4.2-10.fc12.noarch (this could be a problem in itself as there is no fc13 build of this package available)

How reproducible:

Constantly.

Steps to Reproduce:
1. Enable httpd & smokeping daemons
2. Load "http://localhost/smokeping/sm.cgi" in browser (Firefox 3.6.10 in this instance)
3. Click on one of the smokeping targets under 'charts' in the menu sidebar
4. Error messages will be displayed in '/var/log/messages' & '/var/log/audit/audit.log'
  
Actual results:

No target charts (and associated information) displayed.

Expected results:

Target chart and associated information.

Additional info:

avc:  denied  { create } for  pid=1972 comm="smokeping.cgi" name="__chartscache" scontext=unconfined_u:system_r:httpd_smokeping_cgi_script_t:s0 tcontext=unconfined_u:object_r:smokeping_var_lib_t:s0 tclass=dir

avc:  denied  { read } for  pid=27651 comm="httpd" name="BBCNews_last_108000.png" dev=sdb2 ino=7350256 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:smokeping_var_lib_t:s0 tclass=file

localhost ~]# ls -alZ /usr/share/smokeping/cgi
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
drwxr-xr-x. root root system_u:object_r:usr_t:s0       ..
-rwxr-xr-x. root root system_u:object_r:httpd_smokeping_cgi_script_exec_t:s0 smokeping.cgi
-rwxr-xr-x. root root system_u:object_r:httpd_smokeping_cgi_script_exec_t:s0 tr.cgi
localhost ~]#
Comment 1 Daniel Walsh 2010-10-03 11:24:35 UTC 
Miroslav add

	smokeping_read_lib_files(httpd_t)

and

	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
Comment 2 Dominick Grift 2010-10-03 15:38:39 UTC 
Why would httpd_t need to read smokeping_var_lib_t files. Is this some inheritance issue?
Comment 3 Miroslav Grepl 2010-10-04 11:58:26 UTC 
Looks like httpd reads /var/lib/smokeping/images/*.png files.
Comment 4 Dominick Grift 2010-10-04 16:12:45 UTC 
But why httpd_t and not httpd_smokeping_cgi_script_t?
Comment 5 Miroslav Grepl 2010-10-05 14:58:55 UTC 
Fixed in selinux-policy-3.7.19-64.fc13
Comment 6 Fedora Update System 2010-10-08 10:32:21 UTC 
selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
Comment 7 Fedora Update System 2010-10-08 20:48:47 UTC 
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
Comment 8 Fedora Update System 2010-10-19 07:05:39 UTC 
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.