Summary: SELinux is preventing /usr/bin/perl from using potentially mislabeled files /usr/share/bugzilla/graphs. Detailed Description: SELinux has denied the reports.cgi access to potentially mislabeled files /usr/share/bugzilla/graphs. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, tmp_t, httpd_bugzilla_tmp_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /usr/share/bugzilla/graphs so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/usr/share/bugzilla/graphs'. where FILE_TYPE is one of the following: httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, tmp_t, httpd_bugzilla_tmp_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_bugzilla_script_t:Syst emLow Target Context unconfined_u:object_r:httpd_bugzilla_content_t:Sys temLow Target Objects /usr/share/bugzilla/graphs [ dir ] Source reports.cgi Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.10.0-87.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-84.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686 Alert Count 1 First Seen Fri 12 Feb 2010 09:10:14 AM EST Last Seen Fri 12 Feb 2010 09:10:14 AM EST Local ID bce33fae-d62f-42e5-b75d-b7c9997dadba Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1265983814.505:126280): avc: denied { write } for pid=23086 comm="reports.cgi" name="graphs" dev=dm-1 ino=1055651 scontext=unconfined_u:system_r:httpd_bugzilla_script_t:s0 tcontext=unconfined_u:object_r:httpd_bugzilla_content_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1265983814.505:126280): arch=40000003 syscall=5 success=no exit=-13 a0=a7cca0c a1=8241 a2=1b6 a3=0 items=0 ppid=2427 pid=23086 auid=0 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=13238 comm="reports.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_bugzilla_script_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-84.fc12,httpd_bad_labels,reports.cgi,httpd_bugzilla_script_t,httpd_bugzilla_content_t,dir,write audit2allow suggests: #============= httpd_bugzilla_script_t ============== #!!!! The source type 'httpd_bugzilla_script_t' can write to a 'dir' of the following types: # httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, tmp_t, httpd_bugzilla_tmp_t allow httpd_bugzilla_script_t httpd_bugzilla_content_t:dir write;
This looks like local customization. If bugzilla needs to write to this directory it should be under /var/lib/bugzilla. Or you can change the labeling of the /usr/share/bugzilla/graphs director semanage fcontext -a -e /var/lib/bugzilla /usr/share/bugzilla/graphs reopen this if it in not a local customization.
This was a straight installation from Fedora repository.
WHat package owns /usr/share/bugzilla/graphs rpm -qf /usr/share/bugzilla/graphs
It shows up as not owned by any package, but so do a lot of other files and directories. I think they are created when bugzilla is installed or when ./checksetup.pl is run. I checked two different bugzilla installations on Fedora 12 servers. Neither server had any customization done by hand. Here is a list of files not owned by any package that are in the /usr/share/bugzilla directory. file /usr/share/bugzilla/graphs is not owned by any package file /usr/share/bugzilla/contrib/.htaccess is not owned by any package file /usr/share/bugzilla/.htaccess is not owned by any package file /usr/share/bugzilla/template/.htaccess is not owned by any package file /usr/share/bugzilla/lib is not owned by any package file /usr/share/bugzilla/lib/.htaccess is not owned by any package file /usr/share/bugzilla/docs is not owned by any package file /usr/share/bugzilla/extensions is not owned by any package file /usr/share/bugzilla/Bugzilla/.htaccess is not owned by any package file /usr/share/bugzilla/t/.htaccess is not owned by any package file /usr/share/bugzilla/skins/custom is not owned by any package file /usr/share/bugzilla/skins/custom/panel.css is not owned by any package file /usr/share/bugzilla/skins/custom/global.css is not owned by any package file /usr/share/bugzilla/skins/custom/voting.css is not owned by any package file /usr/share/bugzilla/skins/custom/params.css is not owned by any package file /usr/share/bugzilla/skins/custom/admin.css is not owned by any package file /usr/share/bugzilla/skins/custom/summarize-time.css is not owned by any package file /usr/share/bugzilla/skins/custom/dependency-tree.css is not owned by any package file /usr/share/bugzilla/skins/custom/yui is not owned by any package file /usr/share/bugzilla/skins/custom/yui/calendar.css is not owned by any package file /usr/share/bugzilla/skins/custom/create_attachment.css is not owned by any package file /usr/share/bugzilla/skins/custom/duplicates.css is not owned by any package file /usr/share/bugzilla/skins/custom/editusers.css is not owned by any package file /usr/share/bugzilla/skins/custom/show_bug.css is not owned by any package file /usr/share/bugzilla/skins/custom/release-notes.css is not owned by any package file /usr/share/bugzilla/skins/custom/index.css is not owned by any package file /usr/share/bugzilla/skins/custom/show_multiple.css is not owned by any package file /usr/share/bugzilla/skins/custom/IE-fixes.css is not owned by any package file /usr/share/bugzilla/skins/custom/buglist.css is not owned by any package file /usr/share/bugzilla/skins/custom/help.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/panel.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/voting.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/params.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/admin.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/summarize-time.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/dependency-tree.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/yui is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/yui/calendar.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/create_attachment.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/duplicates.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/editusers.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/show_bug.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/release-notes.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/show_multiple.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/IE-fixes.css is not owned by any package file /usr/share/bugzilla/skins/contrib/Dusk/help.css is not owned by any package
I guess the question then, is what is the cgi script trying to write in that directory. Does it create the .htaccess file?
The .htaccess file was created but whether is was created by the cgi script, I do not know. The only thing I ever see being put into /usr/share/bugzilla/graphs are png files when the "Old Charts" is selected and run from the Bugzilla reports page. I did a chcon -t httpd_bugzilla_content_rw_t /usr/share/bugzilla/graphs and no longer get the sealert, but that is obviously a work around.
Taking this one. I've submitted a fix upstream. If this is accepted, I'll release a fix on Fedora.
http://koji.fedoraproject.org/koji/taskinfo?taskID=2221992 Coming soon to a rawhide mirror near you.