RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1000736 - munin zooming doesn't work with selinux
Summary: munin zooming doesn't work with selinux
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-24 19:38 UTC by Peter Schiffer
Modified: 2013-10-30 09:46 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-30 09:46:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
audit.log (4.70 KB, text/plain)
2013-08-24 19:38 UTC, Peter Schiffer
no flags Details

Description Peter Schiffer 2013-08-24 19:38:16 UTC
Created attachment 789900 [details]
audit.log

Description of problem:
zooming doesn't work when selinux is in enforcing mode

Version-Release number of selected component (if applicable):
munin-2.0.17-1.el6.noarch
selinux-policy-3.7.19-195.el6_4.12.noarch
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch

Steps to Reproduce:
1. click on munin graph to zoom in

Actual results:
no graph image

Expected results:
graph image

Additional info:
it works with selinux in permissive mode

Comment 1 d. johnson 2013-08-24 21:22:34 UTC
Can you run this and post the results?

ls -Z /var/log/munin/


It looks like the context is not setup properly.  Have you already tried restorecon?

Comment 2 Peter Schiffer 2013-08-25 10:05:49 UTC
# ls -Z /var/log/munin/
-rw-r--r--. apache apache system_u:object_r:munin_log_t:s0 munin-cgi-graph.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-graph.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-html.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-limits.log
-rw-r--r--. munin  munin  system_u:object_r:munin_log_t:s0 munin-update.log

# restorecon -FRvv /var/log/munin/
#

I tried restorecon but it's still the same result. I also tried changing context of munin-cgi-graph.log file to httpd_log_t but that didn't help either.

This is error log from apache:

[Sun Aug 25 11:59:44 2013] [error] [client XXX] 2013/08/25 11:59:44 [FATAL] munin_readconfig_part(datafile) - missing file, referer: http://XXX/munin/static/dynazoom.html?cgiurl_graph=/munin-cgi/munin-cgi-graph&plugin_name=localhost/localhost/apache_processes&size_x=800&size_y=400&start_epoch=1377316503&stop_epoch=1377424503
[Sun Aug 25 11:59:44 2013] [error] [client XXX] Premature end of script headers: munin-cgi-graph, referer: http://XXX/munin/static/dynazoom.html?cgiurl_graph=/munin-cgi/munin-cgi-graph&plugin_name=localhost/localhost/apache_processes&size_x=800&size_y=400&start_epoch=1377316503&stop_epoch=1377424503

Comment 3 d. johnson 2013-08-26 20:48:45 UTC
Changing to selinux-policy for a policy update.

Comment 5 Miroslav Grepl 2013-08-27 12:02:52 UTC
Where is munin-cgi-graph located? And how it is labeled?

# ls -Z PATHTO/munin-cgi-graph

Comment 6 Peter Schiffer 2013-08-27 12:05:20 UTC
# ls -Z /var/www/cgi-bin
-rwxr-xr-x. root munin system_u:object_r:httpd_sys_script_exec_t:s0 munin-cgi-graph
-rwxr-xr-x. root munin system_u:object_r:httpd_sys_script_exec_t:s0 munin-cgi-html

Comment 7 Miroslav Grepl 2013-08-27 12:27:59 UTC
We need to back port changes from Fedora.

# chcon -t httpd_munin_script_exec_t /var/www/cgi-bin/munin-cgi*

Comment 8 Miroslav Grepl 2013-10-30 09:46:03 UTC
More fixes have been added during RHEL6.5 cycle related to munin and this bug should be fixed. If no, please re-open the bug and it will be addressed in RHEL6.6.


Note You need to log in before you can comment on or make changes to this bug.