Bug 950300

Summary: bugzilla-4.2.5-1.fc18.noarch throws AVC when trying to load
Product: [Fedora] Fedora Reporter: Kyle Brantley <kyle>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 18CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-18 02:53:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kyle Brantley 2013-04-10 03:19:17 UTC
Description of problem:
The default install of the bugzilla RPM tries to access /etc/pki/tls/openssl.cnf once the page it loaded. This is denied under current policy.


Version-Release number of selected component (if applicable):
# rpm -qa | egrep 'bugzilla|selinux-policy|kernel-' | sort
bugzilla-4.2.5-1.fc18.noarch
kernel-3.8.3-203.fc18.x86_64
kernel-3.8.4-202.fc18.x86_64
kernel-3.8.5-201.fc18.x86_64
kernel-headers-3.8.5-201.fc18.x86_64
selinux-policy-3.11.1-86.fc18.noarch
selinux-policy-devel-3.11.1-86.fc18.noarch
selinux-policy-doc-3.11.1-86.fc18.noarch
selinux-policy-targeted-3.11.1-86.fc18.noarch


How reproducible:
100%

Steps to Reproduce:
1. Install bugzilla, and configure it via checksetup.pl.
2. Attempt to load bugzilla instance
  
Actual results:
HTTP 500 Internal Server Error

Expected results:
Functional bugzilla


Additional info:
# tail /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1365563353.993:3120): avc:  denied  { open } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563353.993:3121): avc:  denied  { getattr } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563839.416:3123): avc:  denied  { search } for  pid=7698 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563841.489:3124): avc:  denied  { search } for  pid=7700 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir

# tail /var/log/audit/audit.log | audit2allow


#============= httpd_bugzilla_script_t ==============
allow httpd_bugzilla_script_t cert_t:dir search;
allow httpd_bugzilla_script_t cert_t:file { getattr open };

Comment 1 Kyle Brantley 2013-04-10 03:26:43 UTC
Sorry, I missed a few AVCs:

# tail -n600 /var/log/audit/audit.log | grep AVC
type=USER_AVC msg=audit(1365563244.141:3111): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1365563244.141:3112): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1365563308.620:3117): avc:  denied  { search } for  pid=7566 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563314.490:3118): avc:  denied  { search } for  pid=7573 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563353.993:3120): avc:  denied  { read } for  pid=7587 comm="index.cgi" name="openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563353.993:3120): avc:  denied  { open } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563353.993:3121): avc:  denied  { getattr } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563839.416:3123): avc:  denied  { search } for  pid=7698 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563841.489:3124): avc:  denied  { search } for  pid=7700 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365564174.257:3143): avc:  denied  { read } for  pid=7875 comm="index.cgi" name="openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365564227.730:3145): avc:  denied  { read } for  pid=7896 comm="index.cgi" name="openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file


*** Resulting .te:

module bugzilla-certs 1.0;

require {
        type httpd_bugzilla_script_t;
        type cert_t;
        class dir search;
        class file { read getattr open };
}

#============= httpd_bugzilla_script_t ==============
allow httpd_bugzilla_script_t cert_t:dir search;
allow httpd_bugzilla_script_t cert_t:file read;
allow httpd_bugzilla_script_t cert_t:file { getattr open };

Comment 2 Miroslav Grepl 2013-04-10 14:38:23 UTC
Fixed in selinux-policy-3.11.1-89.fc18.noarch

Comment 3 Fedora Update System 2013-04-15 11:12:51 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 4 Kyle Brantley 2013-04-15 12:19:19 UTC
Tested, working great now. I've provided feedback on the build. Thanks!

Comment 5 Fedora Update System 2013-04-16 00:08:23 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2013-04-18 02:53:17 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.