Bug 710142

Summary: SELinux is preventing /usr/bin/perl from 'write' accesses on the directory /usr/share/bugzilla/graphs.
Product: [Fedora] Fedora Reporter: John Griffiths <fedora.jrg01>
Component: bugzillaAssignee: Emmanuel Seyman <emmanuel>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dominick.grift, dwalsh, emmanuel, itamar, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d1ed7f0aa41a02ae53deec98522958eeac6b9bedbc4126e2918c0c00c3f96987
Fixed In Version: bugzilla-4.0.2-1.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-19 21:56:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Griffiths 2011-06-02 14:23:04 UTC 
SELinux is preventing /usr/bin/perl from 'write' accesses on the directory /usr/share/bugzilla/graphs.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed write access on the graphs directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep reports.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_bugzilla_script_t:s0
Target Context                system_u:object_r:httpd_bugzilla_content_t:s0
Target Objects                /usr/share/bugzilla/graphs [ dir ]
Source                        reports.cgi
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.12.3-143.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.13-91.fc14.i686
                              #1 SMP Tue May 3 13:36:36 UTC 2011 i686 i686
Alert Count                   3
First Seen                    Thu 02 Jun 2011 09:46:26 AM EDT
Last Seen                     Thu 02 Jun 2011 09:47:03 AM EDT
Local ID                      55954d8f-da11-4c9c-a742-7ea60535d1ec

Raw Audit Messages
type=AVC msg=audit(1307022423.187:116033): avc:  denied  { write } for  pid=24918 comm="reports.cgi" name="graphs" dev=dm-0 ino=46274434 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:httpd_bugzilla_content_t:s0 tclass=dir


type=SYSCALL msg=audit(1307022423.187:116033): arch=i386 syscall=open success=no exit=EACCES a0=a2430b0 a1=8241 a2=1b6 a3=0 items=0 ppid=4996 pid=24918 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=reports.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null)

Hash: reports.cgi,httpd_bugzilla_script_t,httpd_bugzilla_content_t,dir,write

audit2allow

#============= httpd_bugzilla_script_t ==============
#!!!! The source type 'httpd_bugzilla_script_t' can write to a 'dir' of the following types:
# httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, tmp_t

allow httpd_bugzilla_script_t httpd_bugzilla_content_t:dir write;

audit2allow -R

#============= httpd_bugzilla_script_t ==============
#!!!! The source type 'httpd_bugzilla_script_t' can write to a 'dir' of the following types:
# httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, tmp_t

allow httpd_bugzilla_script_t httpd_bugzilla_content_t:dir write;
Comment 1 Dominick Grift 2011-06-02 14:29:33 UTC 
Can you tell bugzilla to write these graphs to /var/lib/bugzilla?

That location should be installed:

rpm -ql bugzilla
Comment 2 Daniel Walsh 2011-06-02 15:15:19 UTC 
John did you customize this or did bugzilla want to be able to write to /usr/share/bugzilla/graphs by default?
Comment 3 John Griffiths 2011-06-02 15:20:36 UTC 
I looked in the Bugzilla administration pages and in localconfig and checked
the on line documentation for Bugzilla and found no reference to a location for
graphs.

By using find and grep I did find that 'graphsdir'   => "$libpath/graphs" is
set in /usr/share/bugzilla/Bugzilla/Constants.pm. I have made no changes to
that file.

Apparently, the /usr/share/bugzilla/graphs directory is the default as set up
by the bugzilla package. I would think the package should be modified to use
the /var/lib/bugzilla/graphs directory if that is the preferable location or
selinux policy should allow writing to the default location. Either solution
would be good, but manual intervention should not be needed to change the
access to a default location in my opinion.

In the meantime, I have created a local policy to allow perl write access to
/usr/share/bugzilla/graphs.
Comment 4 Dominick Grift 2011-06-02 15:23:36 UTC 
rpm -ql bugzilla does not show a /usr/share/bugzilla/graphs. So how did it get there? 

$libpath should obviously not be /usr/share
Comment 5 John Griffiths 2011-06-02 15:28:34 UTC 
I think I may have added the graphs directory, but my recollection of that is a bit fuzzy. There were some errors when running /usr/share/bugzilla/checksetup.pl as I remember it and I am pretty sure it was complaining about a missing directory.

I was in a hurry, since I was updating a production system to FC14 and did not report that error on the bugzilla package.
Comment 6 John Griffiths 2011-06-02 15:30:00 UTC 
There is not a /var/lib/bugzilla/graphs in the bugzilla package.
Comment 7 Dominick Grift 2011-06-02 15:30:52 UTC 
John, a better solution would be:

semanage fcontext -a -t httpd_bugzilla_content_rw_t
"/usr/share/bugzilla/graphs(/.*)?"
restorecon -R -v /usr/share/bugzilla/graphs

And to remove that custom loadable module that you have loaded into the system
to allow this.
Comment 8 Dominick Grift 2011-06-02 15:31:53 UTC 
(In reply to comment #6)
> There is not a /var/lib/bugzilla/graphs in the bugzilla package.

I know but atleast bugzilla would have been able to create it there.
Comment 9 John Griffiths 2011-06-02 15:36:09 UTC 
That may be true, but that is not where checksetup.pl was looking for it.
Comment 10 Dominick Grift 2011-06-02 15:40:20 UTC 
Yes and so this seems to be a bug in bugzilla and it is now re-assigned to the bugzilla component.
Comment 11 John Griffiths 2011-06-02 15:43:36 UTC 
I have no problem using semanage to do that, but I just did what sealert said
to do.

I also have no problem with editing Constants.pm to make the graphs directory
in /var/lib/bugzilla.

Changing $libpath from being /usr/share would be problematic for all of
bugzilla I think.

grep '$libpath' /usr/share/bugzilla/Bugzilla/Constants.pm 

    my $libpath = dirname(dirname($INC{'Bugzilla/Constants.pm'}));
    # We have to detaint $libpath, but we can't use Bugzilla::Util here.
    $libpath =~ /(.*)/;
    $libpath = $1;
        'libpath'     => $libpath,
        'ext_libpath' => "$libpath/lib",
        'cgi_path'    => $libpath,
        'templatedir' => "$libpath/template",
        'skinsdir'    => "$libpath/skins",
        'graphsdir'   => "$libpath/graphs",
        'extensionsdir' => "$libpath/extensions",
Comment 12 Dominick Grift 2011-06-02 15:53:19 UTC 
Yes i understand. Unfortunately the report did not suggest the proper fix. Basically a bug in setroubleshoot-plugins.
Comment 13 Emmanuel Seyman 2011-08-05 09:28:41 UTC 
Ughh, this is bug 564450 all over again.
When we upstreamed the patch in question, we reverted the value $graphdirs back to its upstream default.

I'll release a new version with $graphsdir = "/var/lib/bugzilla".
Comment 14 Fedora Update System 2011-08-05 16:23:21 UTC 
bugzilla-3.6.6-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/bugzilla-3.6.6-1.fc14
Comment 15 Fedora Update System 2011-08-05 16:23:29 UTC 
bugzilla-3.6.6-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/bugzilla-3.6.6-1.fc15
Comment 16 Fedora Update System 2011-08-05 16:23:37 UTC 
bugzilla-4.0.2-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/bugzilla-4.0.2-1.fc16
Comment 17 Fedora Update System 2011-08-05 20:08:13 UTC 
Package bugzilla-4.0.2-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing bugzilla-4.0.2-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/bugzilla-4.0.2-1.fc16
then log in and leave karma (feedback).
Comment 18 Fedora Update System 2011-08-19 21:56:41 UTC 
bugzilla-3.6.6-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2011-08-19 22:00:26 UTC 
bugzilla-3.6.6-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2011-08-22 15:04:28 UTC 
bugzilla-4.0.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.