Bug 732819

Summary: queuegraph-selinux does not work on EL6
Product: [Fedora] Fedora EPEL Reporter: Patrick <rh_bugzilla>
Component: queuegraphAssignee: Bernard Johnson <bjohnson>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: el6CC: bjohnson
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 14:57:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Patrick 2011-08-23 18:09:02 UTC 
Description of problem:
Queuegraph doesn't have SELinux contexts set correctly, and therefore when
SELinux is active, queuegraph won't work through apache.

Version-Release number of selected component (if applicable):
queuegraph-1.1-6.el6.noarch
queuegraph-selinux-1.1-6.el6.noarch

How reproducible:


Steps to Reproduce:
1. yum install queuegraph queuegraph-selinux
2. restart httpd
3. Surf to http://host/queuegraph
  
Actual results:
500 Internal Server Error

Expected results:
The normal queuegraph pages


Additional info:
This was already reported in https://bugzilla.redhat.com/show_bug.cgi?id=731600 but reading the EPEL wiki I noticed that I should report it under product Fedora-EPEL hence this new bug. Please excuse the double entry. Also see bz566513 for a similar problem with mailgraph (also on EL6)

Here is the error in /var/log/httpd/error_log:

[Thu Aug 18 02:09:04 2011] [error] [client 10.0.0.135] (13)Permission denied:
exec of '/usr/share/queuegraph/queuegraph.cgi' failed
[Thu Aug 18 02:09:04 2011] [error] [client 10.0.0.135] Premature end of script
headers: queuegraph.cgi

Here is the error in /var/log/audit/audit.log:

type=AVC msg=audit(1313626144.344:719): avc:  denied  { execute } for  pid=3908
comm="httpd" name="queuegraph.cgi" dev=sda2 ino=43519713
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
type=SYSCALL msg=audit(1313626144.344:719): arch=c000003e syscall=59 success=no
exit=-13 a0=7f994b151168 a1=7f994b14cec8 a2=7f994b14cee0 a3=7fffa58254a0
items=0 ppid=2974 pid=3908 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

I noticed the fix in bz243302 and I tried them on queuegraph:

$ sudo chcon -t httpd_sys_script_exec_t /usr/share/queuegraph/queuegraph.cgi
$ sudo chcon -R -t httpd_sys_script_ra_t /var/cache/queuegraph
$ sudo chcon -R -t httpd_sys_script_ra_t /var/lib/queuegraph

Now queuegraph shows (empty) graphs.

It did not work for mailgraph on EL6 (see bz566513) but that is maybe because this is a fresh install and postfix has not been configured yet.

Please let me know if you need more information or would like me to test a new
policy.
Comment 1 Ben Cotton 2020-11-05 16:51:25 UTC 
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is our policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged  change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
Comment 2 Ben Cotton 2020-11-05 16:54:08 UTC 
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version.

Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version, you are encouraged to change the 'version' to a later version prior this bug is closed as described in the policy above.
Comment 3 Ben Cotton 2020-11-30 14:57:14 UTC 
EPEL el6 changed to end-of-life (EOL) status on 2020-11-30. EPEL el6 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
EPEL please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.