Bug 566513 - mailgraph-selinux does not work fine
Summary: mailgraph-selinux does not work fine
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: mailgraph
Version: el5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Bernard Johnson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-18 17:09 UTC by Stefano Biagiotti
Modified: 2011-08-18 00:30 UTC (History)
4 users (show)

Fixed In Version: mailgraph-1.14-8.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-17 04:51:30 UTC


Attachments (Terms of Use)

Description Stefano Biagiotti 2010-02-18 17:09:01 UTC
Description:

I installed mailgraph-1.14-6.el5 and mailgraph-selinux-1.14-6.el5 from EPEL 5 testing repository.

Opening http://localhost/mailgraph/ with selinux in enforcing mode, I can't view the graph images as http://localhost/mailgraph/mailgraph.cgi?0-n .

-------------------------------

Steps to Reproduce:

1. # setenforce 1
2. # service httpd start
3. # service mailgraph start
4. # wget http://localhost/mailgraph/mailgraph.cgi?0-n
   --2010-02-18 12:17:38--  http://localhost/mailgraph/mailgraph.cgi?0-n
   Resolving localhost... 127.0.0.1
   Connecting to localhost|127.0.0.1|:80... connected.
   HTTP request sent, awaiting response... 500 Internal Server Error
   2010-02-18 12:17:38 ERROR 500: Internal Server Error.

--------------------------------

Actual results:

In /var/log/httpd/error_log:
[Thu Feb 18 12:21:17 2010] [error] [client 127.0.0.1] ERROR: opening '/var/lib/mailgraph/mailgraph.rrd': Permission denied
[Thu Feb 18 12:21:17 2010] [error] [client 127.0.0.1] Premature end of script headers: mailgraph.cgi

In /var/log/audit/audit.log:
type=AVC msg=audit(1266491858.707:87343): avc:  denied  { read } for  pid=22843 comm="mailgraph.cgi" name="mailgraph.rrd" dev=dm-0 ino=491781 scontext=root:system_r:httpd_mailgraph_script_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file

--------------------------------

NOTE: this bug should be filed against mailgraph-selinux, but it is not included in the "Component" list above.

Comment 1 Mark Chappell 2010-09-28 20:58:50 UTC
Actually you filed this against the correct package, mailgraph-selinux is a sub-package of mailgraph.

What's happened is that mailgraph.rrd hasn't picked up the context it's supposed to have.  This is because fixfiles -R only acts upon the files that are owned by the rpm and the rrd file is being generated before the selinux module is installed.  What I can't spot is what's generating the rrd files...

The quick hack fix to get you up and running is simply :

restorecon -RvF /var/lib/mailgraph

This is possibly also the best bet as a fix in the post script too.


Mark

Comment 2 Fedora Update System 2010-10-02 13:29:26 UTC
mailgraph-1.14-8.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5

Comment 3 Fedora Update System 2010-10-02 13:31:01 UTC
mailgraph-1.14-8.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc14

Comment 4 Fedora Update System 2010-10-02 13:32:54 UTC
mailgraph-1.14-8.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc13

Comment 5 Fedora Update System 2010-10-02 19:50:39 UTC
mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mailgraph'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5

Comment 6 Stefano Biagiotti 2010-10-12 15:51:36 UTC
mailgraph-1.14-8.el5 and mailgraph-selinux-1.14-8.el5 from epel-testing work for me.

Thank you.

Comment 7 Fedora Update System 2010-10-17 04:51:26 UTC
mailgraph-1.14-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2010-10-17 21:01:58 UTC
mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2010-10-18 05:44:02 UTC
mailgraph-1.14-8.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Patrick 2011-08-18 00:01:19 UTC
I just installed CentOS 6 x86_64 with mailgraph from EPEL:

$ rpm -qa | grep mailgraph
mailgraph-selinux-1.14-8.el6.noarch
mailgraph-1.14-8.el6.noarch

$ cat /etc/centos-release 
CentOS Linux release 6.0 (Final)

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

And with SELinux enabled browsing to http://host/mailgraph gives a 500 Internal Server Error but when I set SElinux to permissive it works fine.

The error in /var/log/httpd/error_log:

[Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] (13)Permission denied: exec of '/usr/share/mailgraph/mailgraph.cgi' failed
[Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] Premature end of script headers: mailgraph.cgi

The error in /var/log/audit/audit.log
type=AVC msg=audit(1313625461.090:635): avc:  denied  { execute } for  pid=3696 comm="httpd" name="mailgraph.cgi" dev=sda2 ino=43519719 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1313625461.090:635): arch=c000003e syscall=59 success=no exit=-13 a0=7f994b14b130 a1=7f994b150ee8 a2=7f994b150f00 a3=7fffa58254a0 items=0 ppid=2970 pid=3696 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Also tried the restorecon trick mentioned above but did not seem to do anything.
$ sudo restorecon -RvF /var/lib/mailgraph
$

After the restorecon trick I still get the same error.

Comment 11 Patrick 2011-08-18 00:30:25 UTC
I tried the changes from bz243302 and it still does not work.

With these applies:

$ sudo chcon -t httpd_sys_script_exec_t /usr/share/mailgraph/mailgraph.cgi
$ sudo chcon -R -t httpd_sys_script_ra_t /var/cache/mailgraph
$ sudo chcon -R -t httpd_sys_script_ra_t /var/lib/mailgraph

And with SELinux in permissive mode:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

I see this error in /var/log/audit/audit.log

type=AVC msg=audit(1313627079.285:995): avc:  denied  { setattr } for  pid=4748 comm="mailgraph.cgi" name="fontconfig" dev=sda2 ino=96731533 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1313627079.285:995): arch=c000003e syscall=90 success=no exit=-1 a0=e11140 a1=1ed a2=d a3=7ffff491fbe0 items=0 ppid=2976 pid=4748 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="mailgraph.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

At least the chcon changes seem to have solved the errors in comment #10.

Please let me know if you need more information or would like me to test a new policy.


Note You need to log in before you can comment on or make changes to this bug.