Description: I installed mailgraph-1.14-6.el5 and mailgraph-selinux-1.14-6.el5 from EPEL 5 testing repository. Opening http://localhost/mailgraph/ with selinux in enforcing mode, I can't view the graph images as http://localhost/mailgraph/mailgraph.cgi?0-n . ------------------------------- Steps to Reproduce: 1. # setenforce 1 2. # service httpd start 3. # service mailgraph start 4. # wget http://localhost/mailgraph/mailgraph.cgi?0-n --2010-02-18 12:17:38-- http://localhost/mailgraph/mailgraph.cgi?0-n Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 500 Internal Server Error 2010-02-18 12:17:38 ERROR 500: Internal Server Error. -------------------------------- Actual results: In /var/log/httpd/error_log: [Thu Feb 18 12:21:17 2010] [error] [client 127.0.0.1] ERROR: opening '/var/lib/mailgraph/mailgraph.rrd': Permission denied [Thu Feb 18 12:21:17 2010] [error] [client 127.0.0.1] Premature end of script headers: mailgraph.cgi In /var/log/audit/audit.log: type=AVC msg=audit(1266491858.707:87343): avc: denied { read } for pid=22843 comm="mailgraph.cgi" name="mailgraph.rrd" dev=dm-0 ino=491781 scontext=root:system_r:httpd_mailgraph_script_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file -------------------------------- NOTE: this bug should be filed against mailgraph-selinux, but it is not included in the "Component" list above.
Actually you filed this against the correct package, mailgraph-selinux is a sub-package of mailgraph. What's happened is that mailgraph.rrd hasn't picked up the context it's supposed to have. This is because fixfiles -R only acts upon the files that are owned by the rpm and the rrd file is being generated before the selinux module is installed. What I can't spot is what's generating the rrd files... The quick hack fix to get you up and running is simply : restorecon -RvF /var/lib/mailgraph This is possibly also the best bet as a fix in the post script too. Mark
mailgraph-1.14-8.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5
mailgraph-1.14-8.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc14
mailgraph-1.14-8.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc13
mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update mailgraph'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5
mailgraph-1.14-8.el5 and mailgraph-selinux-1.14-8.el5 from epel-testing work for me. Thank you.
mailgraph-1.14-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
mailgraph-1.14-8.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
I just installed CentOS 6 x86_64 with mailgraph from EPEL: $ rpm -qa | grep mailgraph mailgraph-selinux-1.14-8.el6.noarch mailgraph-1.14-8.el6.noarch $ cat /etc/centos-release CentOS Linux release 6.0 (Final) $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted And with SELinux enabled browsing to http://host/mailgraph gives a 500 Internal Server Error but when I set SElinux to permissive it works fine. The error in /var/log/httpd/error_log: [Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] (13)Permission denied: exec of '/usr/share/mailgraph/mailgraph.cgi' failed [Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] Premature end of script headers: mailgraph.cgi The error in /var/log/audit/audit.log type=AVC msg=audit(1313625461.090:635): avc: denied { execute } for pid=3696 comm="httpd" name="mailgraph.cgi" dev=sda2 ino=43519719 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1313625461.090:635): arch=c000003e syscall=59 success=no exit=-13 a0=7f994b14b130 a1=7f994b150ee8 a2=7f994b150f00 a3=7fffa58254a0 items=0 ppid=2970 pid=3696 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Also tried the restorecon trick mentioned above but did not seem to do anything. $ sudo restorecon -RvF /var/lib/mailgraph $ After the restorecon trick I still get the same error.
I tried the changes from bz243302 and it still does not work. With these applies: $ sudo chcon -t httpd_sys_script_exec_t /usr/share/mailgraph/mailgraph.cgi $ sudo chcon -R -t httpd_sys_script_ra_t /var/cache/mailgraph $ sudo chcon -R -t httpd_sys_script_ra_t /var/lib/mailgraph And with SELinux in permissive mode: $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted I see this error in /var/log/audit/audit.log type=AVC msg=audit(1313627079.285:995): avc: denied { setattr } for pid=4748 comm="mailgraph.cgi" name="fontconfig" dev=sda2 ino=96731533 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1313627079.285:995): arch=c000003e syscall=90 success=no exit=-1 a0=e11140 a1=1ed a2=d a3=7ffff491fbe0 items=0 ppid=2976 pid=4748 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="mailgraph.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null) At least the chcon changes seem to have solved the errors in comment #10. Please let me know if you need more information or would like me to test a new policy.