Bug 710142
Summary: | SELinux is preventing /usr/bin/perl from 'write' accesses on the directory /usr/share/bugzilla/graphs. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Griffiths <fedora.jrg01> |
Component: | bugzilla | Assignee: | Emmanuel Seyman <emmanuel> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 14 | CC: | dominick.grift, dwalsh, emmanuel, itamar, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:d1ed7f0aa41a02ae53deec98522958eeac6b9bedbc4126e2918c0c00c3f96987 | ||
Fixed In Version: | bugzilla-4.0.2-1.fc16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-08-19 21:56:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Griffiths
2011-06-02 14:23:04 UTC
Can you tell bugzilla to write these graphs to /var/lib/bugzilla? That location should be installed: rpm -ql bugzilla John did you customize this or did bugzilla want to be able to write to /usr/share/bugzilla/graphs by default? I looked in the Bugzilla administration pages and in localconfig and checked the on line documentation for Bugzilla and found no reference to a location for graphs. By using find and grep I did find that 'graphsdir' => "$libpath/graphs" is set in /usr/share/bugzilla/Bugzilla/Constants.pm. I have made no changes to that file. Apparently, the /usr/share/bugzilla/graphs directory is the default as set up by the bugzilla package. I would think the package should be modified to use the /var/lib/bugzilla/graphs directory if that is the preferable location or selinux policy should allow writing to the default location. Either solution would be good, but manual intervention should not be needed to change the access to a default location in my opinion. In the meantime, I have created a local policy to allow perl write access to /usr/share/bugzilla/graphs. rpm -ql bugzilla does not show a /usr/share/bugzilla/graphs. So how did it get there? $libpath should obviously not be /usr/share I think I may have added the graphs directory, but my recollection of that is a bit fuzzy. There were some errors when running /usr/share/bugzilla/checksetup.pl as I remember it and I am pretty sure it was complaining about a missing directory. I was in a hurry, since I was updating a production system to FC14 and did not report that error on the bugzilla package. There is not a /var/lib/bugzilla/graphs in the bugzilla package. John, a better solution would be: semanage fcontext -a -t httpd_bugzilla_content_rw_t "/usr/share/bugzilla/graphs(/.*)?" restorecon -R -v /usr/share/bugzilla/graphs And to remove that custom loadable module that you have loaded into the system to allow this. (In reply to comment #6) > There is not a /var/lib/bugzilla/graphs in the bugzilla package. I know but atleast bugzilla would have been able to create it there. That may be true, but that is not where checksetup.pl was looking for it. Yes and so this seems to be a bug in bugzilla and it is now re-assigned to the bugzilla component. I have no problem using semanage to do that, but I just did what sealert said to do. I also have no problem with editing Constants.pm to make the graphs directory in /var/lib/bugzilla. Changing $libpath from being /usr/share would be problematic for all of bugzilla I think. grep '$libpath' /usr/share/bugzilla/Bugzilla/Constants.pm my $libpath = dirname(dirname($INC{'Bugzilla/Constants.pm'})); # We have to detaint $libpath, but we can't use Bugzilla::Util here. $libpath =~ /(.*)/; $libpath = $1; 'libpath' => $libpath, 'ext_libpath' => "$libpath/lib", 'cgi_path' => $libpath, 'templatedir' => "$libpath/template", 'skinsdir' => "$libpath/skins", 'graphsdir' => "$libpath/graphs", 'extensionsdir' => "$libpath/extensions", Yes i understand. Unfortunately the report did not suggest the proper fix. Basically a bug in setroubleshoot-plugins. Ughh, this is bug 564450 all over again. When we upstreamed the patch in question, we reverted the value $graphdirs back to its upstream default. I'll release a new version with $graphsdir = "/var/lib/bugzilla". bugzilla-3.6.6-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/bugzilla-3.6.6-1.fc14 bugzilla-3.6.6-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/bugzilla-3.6.6-1.fc15 bugzilla-4.0.2-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/bugzilla-4.0.2-1.fc16 Package bugzilla-4.0.2-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing bugzilla-4.0.2-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/bugzilla-4.0.2-1.fc16 then log in and leave karma (feedback). bugzilla-3.6.6-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. bugzilla-3.6.6-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. bugzilla-4.0.2-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |