Description of problem: When saving a smtpserver in a fresh installation 5.0.3 on Fedora 25 I get this error message and the "The new value for smtpserver is invalid: Cannot connect to" and the server name. There is nothing useful in the logs. Only Slurp.pm complaining about utf8 which happens on every page. Version-Release number of selected component (if applicable): 5.0.3 How reproducible: Steps to Reproduce: 1. Go to section editparams.cgi?section=mta 2. enter a smtp host 3. click "save changes" at the bottom of the form Actual results: Error message "The new value for smtpserver is invalid: Cannot connect to" Expected results: smptserver value is updated Additional info: I know this mail server is working and accessible as I tested it with telnet and openssl s_client. I also have this same smtpserver in another upgraded installation version 5.0.2 on windows and it saves and works fine.
moving this to bugzilla package...
I'd like to mention that this bug prevents me from configuring the server correctly. I'd like to amend the priority to high as this blocks my continued migration process. I suspect it doesn't only affect me, but anyone making a fresh install of bugzilla on fc25.
This is an selinux issue: type=AVC msg=audit(1491427462.96:1206): avc: denied { create } for pid=21885 comm="editparams.cgi" scontext=system_u:system_r:bugzilla_script_t:s0 tcontext=system_u:system_r:bugzilla_script_t:s0 tclass=netlink_route_socket permissive=0 I'm not sure how to handle this. I'll investigate...
I added these rules, but I still get the same error. No more selinux complaints and nothing in the httpd logs either. module local-bugzilla 1.0; require { type bugzilla_script_t; class netlink_route_socket { bind create getattr }; class udp_socket { connect create }; } #============= bugzilla_script_t ============== allow bugzilla_script_t self:netlink_route_socket { bind create getattr }; allow bugzilla_script_t self:udp_socket { connect create };
Having tried pretty much every other option, I came back to the selinux thing. I have a selinux file that reads: module my-editparamscgi 1.0; require { type bugzilla_script_t; class netlink_route_socket create; class udp_socket create; } #============= bugzilla_script_t ============== allow bugzilla_script_t self:netlink_route_socket create; #!!!! This avc is allowed in the current policy allow bugzilla_script_t self:udp_socket create; With this, I can change the smtpserver anyway I want (provided smtp_username and smtp_password have valid contents) but that doesn't seem very different from what you tried. I'll run more tests.
I upgraded and installed some more modules to make it look more similar to the windows installation. No difference. What I do notice is that mod_perl and Net-SMTP-SSL are not installed on the windows installation, but they are on Fedora. In fact, bugzilla is dependent on this module in Fedora but not in windows. These are the only entries in the journalctl: -- Unit httpd.service has begun starting up. Oct 08 06:09:27 fc25.localdomain systemd[1]: Started The Apache HTTP Server. -- Subject: Unit httpd.service has finished start-up -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has finished starting up. -- -- The start-up result is done. Oct 08 06:09:27 fc25.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Oct 08 06:16:13 fc25.localdomain audit[29901]: USER_AUTH pid=29901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_rootok acct="apache" exe="/usr/bin/su" hostname=fc25.localdomain addr=? terminal=pts/0 res=success' Oct 08 06:16:13 fc25.localdomain audit[29901]: USER_ACCT pid=29901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_succeed_if acct="apache" exe="/usr/bin/su" hostname=fc25.localdomain addr=? terminal=pts/0 res=success' Oct 08 06:16:13 fc25.localdomain audit[29901]: CRED_ACQ pid=29901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="apache" exe="/usr/bin/su" hostname=fc25.localdomain addr=? terminal=pts/0 res=success' Oct 08 06:16:13 fc25.localdomain audit[29901]: USER_START pid=29901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="apache" exe="/usr/bin/su" hostname=fc25.localdomain addr=? terminal=pts/0 res=success' Oct 08 06:16:13 fc25.localdomain su[29901]: (to apache) admin on pts/0 Oct 08 06:16:13 fc25.localdomain su[29901]: pam_systemd(su-l:session): Cannot create session: Already running in a session Oct 08 06:16:13 fc25.localdomain su[29901]: pam_unix(su-l:session): session opened for user apache by admin(uid=0) Oct 08 06:17:18 fc25.localdomain su[29901]: pam_unix(su-l:session): session closed for user apache Oct 08 06:17:18 fc25.localdomain audit[29901]: USER_END pid=29901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="apache" exe="/usr/bin/su" hostname=fc25.localdomain addr=? terminal=pts/0 res=success' Oct 08 06:17:18 fc25.localdomain audit[29901]: CRED_DISP pid=29901 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="apache" exe="/usr/bin/su" hostname=fc25.localdomain addr=? terminal=pts/0 res=success' There is nothing selinux related there. This is the apache ssl_error_log: [Sun Oct 08 06:09:27.334135 2017] [ssl:warn] [pid 29841] AH01909: fc25.localdomain:443:0 server certificate does NOT include an ID which matches the server name apache ssl_access_log 192.168.0.117 - - [08/Oct/2017:06:19:36 +1000] "POST /bugzilla/editparams.cgi HTTP/1.1" 200 6490 The following is the output from checksetup.pl --check-modules on each. *** Windows: C:\Progs\bugzilla>checksetup.pl --check-modules * This is Bugzilla 5.0.3 on perl 5.20.2 * Running on WinVista Build 6002 (Service Pack 2) Checking perl modules... Checking for CGI.pm (v3.51) ok: found v3.64 Checking for Digest-SHA (any) ok: found v5.95 Checking for TimeDate (v2.23) ok: found v2.24 Checking for DateTime (v0.75) ok: found v1.21 Checking for DateTime-TimeZone (v1.64) ok: found v1.95 Checking for DBI (v1.614) ok: found v1.633 Checking for Template-Toolkit (v2.24) ok: found v2.26 Checking for Email-Sender (v1.300011) ok: found v1.300021 Checking for Email-MIME (v1.904) ok: found v1.937 Checking for URI (v1.55) ok: found v1.67 Checking for List-MoreUtils (v0.32) ok: found v0.412 Checking for Math-Random-ISAAC (v1.0.1) ok: found v1.004 Checking for File-Slurp (v9999.13) ok: found v9999.19 Checking for JSON-XS (v2.01) ok: found v3.01 Checking for Win32 (v0.35) ok: found v0.51 Checking for Win32-API (v0.55) ok: found v0.82 Checking for DateTime-TimeZone-Local-Win32 (v1.64) ok: found v1.87 Checking for JSON-RPC (any) ok: found v1.06 Checking for Test-Taint (any) ok: found v1.06 Checking for libwww-perl (any) ok: found v6.13 Checking for XML-Twig (any) ok: found v3.49 Checking available perl DBD modules... Checking for DBD-mysql (v4.001) not found Checking for DBD-Oracle (v1.19) ok: found v1.74 Checking for DBD-Pg (v2.7.0) ok: found v3.2.1 Checking for DBD-SQLite (v1.29) ok: found v1.42 The following Perl modules are optional: Checking for GD (v1.20) ok: found v2.53 Checking for Chart (v2.4.1) not found Checking for Template-GD (any) not found Checking for GDTextUtil (any) ok: found v0.86 Checking for GDGraph (any) ok: found v1.48 Checking for MIME-tools (v5.406) not found Checking for libwww-perl (any) ok: found v6.13 Checking for XML-Twig (any) ok: found v3.49 Checking for PatchReader (v0.9.6) not found Checking for perl-ldap (any) not found Checking for Authen-SASL (any) not found Checking for Net-SMTP-SSL (v1.01) not found Checking for RadiusPerl (any) not found Checking for SOAP-Lite (v0.712) not found Checking for XMLRPC-Lite (v0.712) not found Checking for JSON-RPC (any) ok: found v1.06 Checking for Test-Taint (v1.06) ok: found v1.06 Checking for HTML-Parser (v3.67) ok: found v3.71 Checking for HTML-Scrubber (any) not found Checking for Encode (v2.21) ok: found v2.73 Checking for Encode-Detect (any) not found Checking for Email-Reply (any) not found Checking for HTML-FormatText-WithLinks (v0.13) not found Checking for TheSchwartz (v1.07) not found Checking for Daemon-Generic (any) not found Checking for mod_perl (v1.999022) not found Checking for Apache-SizeLimit (v0.96) not found Checking for File-MimeInfo (any) not found Checking for IO-stringy (any) not found Checking for Cache-Memcached (any) not found Checking for File-Copy-Recursive (any) not found Checking for File-Which (any) ok: found v1.18 *********************************************************************** * OPTIONAL MODULES * *********************************************************************** * Certain Perl modules are not required by Bugzilla, but by * * installing the latest version you gain access to additional * * features. * * * * The optional modules you do not have installed are listed below, * * with the name of the feature they enable. Below that table are the * * commands to install each module. * *********************************************************************** * MODULE NAME * ENABLES FEATURE(S) * *********************************************************************** * Chart * New Charts, Old Charts * * Template-GD * Graphical Reports * * MIME-tools * Move Bugs Between Installations * * PatchReader * Patch Viewer * * perl-ldap * LDAP Authentication * * Authen-SASL * SMTP Authentication * * Net-SMTP-SSL * SSL Support for SMTP * * RadiusPerl * RADIUS Authentication * * SOAP-Lite * XML-RPC Interface * * XMLRPC-Lite * XML-RPC Interface * * HTML-Scrubber * More HTML in Product/Group Descriptions * * Encode-Detect * Automatic charset detection for text attachments * Email-Reply * Inbound Email * * HTML-FormatText-WithLinks * Inbound Email * * TheSchwartz * Mail Queueing * * Daemon-Generic * Mail Queueing * * mod_perl * mod_perl * * Apache-SizeLimit * mod_perl * * File-MimeInfo * Sniff MIME type of attachments * * IO-stringy * Sniff MIME type of attachments * * Cache-Memcached * Memcached Support * * File-Copy-Recursive * Documentation * *********************************************************************** COMMANDS TO INSTALL OPTIONAL MODULES: Chart: ppm install Chart Template-GD: ppm install Template-GD MIME-tools: ppm install MIME-tools PatchReader: ppm install PatchReader perl-ldap: ppm install perl-ldap Authen-SASL: ppm install Authen-SASL Net-SMTP-SSL: ppm install Net-SMTP-SSL RadiusPerl: ppm install RadiusPerl SOAP-Lite: ppm install SOAP-Lite XMLRPC-Lite: ppm install XMLRPC-Lite HTML-Scrubber: ppm install HTML-Scrubber Encode-Detect: ppm install Encode-Detect Email-Reply: ppm install Email-Reply HTML-FormatText-WithLinks: ppm install HTML-FormatText-WithLinks TheSchwartz: ppm install TheSchwartz Daemon-Generic: ppm install Daemon-Generic mod_perl: ppm install mod_perl Apache-SizeLimit: ppm install Apache-SizeLimit File-MimeInfo: ppm install File-MimeInfo IO-stringy: ppm install IO-stringy Cache-Memcached: ppm install Cache-Memcached File-Copy-Recursive: ppm install File-Copy-Recursive ***Fedora: [root@fc25 httpd]# /usr/share/bugzilla/checksetup.pl --check-modules * This is Bugzilla 5.0.3 on perl 5.24.3 * Running on Linux 4.13.4-200.fc26.x86_64 #1 SMP Thu Sep 28 20:46:39 UTC 2017 Checking perl modules... Checking for CGI.pm (v3.51) ok: found v4.36 Checking for Digest-SHA (any) ok: found v5.97 Checking for TimeDate (v2.23) ok: found v2.24 Checking for DateTime (v0.75) ok: found v1.43 Checking for DateTime-TimeZone (v1.64) ok: found v2.13 Checking for DBI (v1.614) ok: found v1.636 Checking for Template-Toolkit (v2.24) ok: found v2.27 Checking for Email-Sender (v1.300011) ok: found v1.300030 Checking for Email-MIME (v1.904) ok: found v1.940 Checking for URI (v1.55) ok: found v1.71 Checking for List-MoreUtils (v0.32) ok: found v0.419 Checking for Math-Random-ISAAC (v1.0.1) ok: found v1.004 Checking for JSON-XS (v2.01) ok: found v3.03 Checking available perl DBD modules... Checking for DBD-Oracle (v1.19) not found Checking for DBD-Pg (v2.7.0) ok: found v3.5.3 Checking for DBD-mysql (v4.001) not found Checking for DBD-SQLite (v1.29) not found The following Perl modules are optional: Checking for GD (v1.20) ok: found v2.66 Checking for Chart (v2.4.1) not found Checking for Template-GD (any) not found Checking for GDTextUtil (any) ok: found v0.86 Checking for GDGraph (any) ok: found v1.54 Checking for MIME-tools (v5.406) not found Checking for libwww-perl (any) ok: found v6.23 Checking for XML-Twig (any) ok: found v3.52 Checking for PatchReader (v0.9.6) not found Checking for perl-ldap (any) not found Checking for Authen-SASL (any) not found Checking for Net-SMTP-SSL (v1.01) ok: found v1.04 Checking for RadiusPerl (any) not found Checking for SOAP-Lite (v0.712) not found Checking for XMLRPC-Lite (v0.712) not found Checking for JSON-RPC (any) ok: found v1.06 Checking for Test-Taint (v1.06) ok: found v1.06 Checking for HTML-Parser (v3.67) ok: found v3.72 Checking for HTML-Scrubber (any) not found Checking for Encode (v2.21) ok: found v2.88 Checking for Encode-Detect (any) ok: found v1.01 Checking for Email-Reply (any) not found Checking for HTML-FormatText-WithLinks (v0.13) not found Checking for TheSchwartz (v1.07) not found Checking for Daemon-Generic (any) not found Checking for mod_perl (v1.999022) ok: found v2.000010 Checking for Apache-SizeLimit (v0.96) ok: found v0.97 Checking for File-MimeInfo (any) not found Checking for IO-stringy (any) ok: found v2.111 Checking for Cache-Memcached (any) not found Checking for File-Copy-Recursive (any) not found Checking for File-Which (any) ok: found v1.21 Checking for mod_env (any) ok Checking for mod_expires (any) ok Checking for mod_headers (any) ok Checking for mod_rewrite (any) ok Checking for mod_version (any) ok *********************************************************************** * OPTIONAL MODULES * *********************************************************************** * Certain Perl modules are not required by Bugzilla, but by * * installing the latest version you gain access to additional * * features. * * * * The optional modules you do not have installed are listed below, * * with the name of the feature they enable. Below that table are the * * commands to install each module. * *********************************************************************** * MODULE NAME * ENABLES FEATURE(S) * *********************************************************************** * Chart * New Charts, Old Charts * * Template-GD * Graphical Reports * * MIME-tools * Move Bugs Between Installations * * PatchReader * Patch Viewer * * perl-ldap * LDAP Authentication * * Authen-SASL * SMTP Authentication * * RadiusPerl * RADIUS Authentication * * SOAP-Lite * XML-RPC Interface * * XMLRPC-Lite * XML-RPC Interface * * HTML-Scrubber * More HTML in Product/Group Descriptions * * Email-Reply * Inbound Email * * HTML-FormatText-WithLinks * Inbound Email * * TheSchwartz * Mail Queueing * * Daemon-Generic * Mail Queueing * * File-MimeInfo * Sniff MIME type of attachments * * Cache-Memcached * Memcached Support * * File-Copy-Recursive * Documentation * *********************************************************************** COMMANDS TO INSTALL OPTIONAL MODULES: Chart: dnf install "perl(Chart::Lines)" Template-GD: dnf install "perl(Template::Plugin::GD::Image)" MIME-tools: dnf install "perl(MIME::Parser)" PatchReader: dnf install "perl(PatchReader)" perl-ldap: dnf install "perl(Net::LDAP)" Authen-SASL: dnf install "perl(Authen::SASL)" RadiusPerl: dnf install "perl(Authen::Radius)" SOAP-Lite: dnf install "perl(SOAP::Lite)" XMLRPC-Lite: dnf install "perl(XMLRPC::Lite)" HTML-Scrubber: dnf install "perl(HTML::Scrubber)" Email-Reply: dnf install "perl(Email::Reply)" HTML-FormatText-WithLinks: dnf install "perl(HTML::FormatText::WithLinks)" TheSchwartz: dnf install "perl(TheSchwartz)" Daemon-Generic: dnf install "perl(Daemon::Generic)" File-MimeInfo: dnf install "perl(File::MimeInfo::Magic)" Cache-Memcached: dnf install "perl(Cache::Memcached)" File-Copy-Recursive: dnf install "perl(File::Copy::Recursive)" Any help is much appreciated. I'm not sure how to get to the root of the problem since everything look fine to me.
It's definitely selinux causing the problem. If I switch to non-enforcing, it works. It turned out I had silent denials and had to turn off the dontaudit policy in semodule. I ended up with this policy, which works. There are still some silent denials for httpd triggered by the editparams.cgi script in bugzilla, but they don't appear to be an issue for this problem. I only tested it with smtpserver change, I ended up with this policy (hth): module local-bugzilla 1.0; require { type bugzilla_script_t ; class netlink_route_socket { bind create getattr nlmsg_read write read }; class udp_socket { connect create getattr write read }; } #============= bugzilla_script_t ============== allow bugzilla_script_t self:netlink_route_socket { bind create getattr nlmsg_read write read }; allow bugzilla_script_t self:udp_socket { connect create getattr write read }; I hope you can pass this onto the bugzilla selinux package maintainers for fc 25 and 26.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
According to advice on #fedora-devel, this is a selinux-policy. Re-assigning.
selinux-policy-3.13.1-260.18.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5ac57e518
selinux-policy-3.13.1-260.18.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5ac57e518
selinux-policy-3.13.1-260.18.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.