SELinux is preventing /usr/bin/perl from 'write' accesses on the directory /usr/share/bugzilla/graphs. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed write access on the graphs directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep reports.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_bugzilla_script_t:s0 Target Context system_u:object_r:httpd_bugzilla_content_t:s0 Target Objects /usr/share/bugzilla/graphs [ dir ] Source reports.cgi Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.12.3-143.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.13-91.fc14.i686 #1 SMP Tue May 3 13:36:36 UTC 2011 i686 i686 Alert Count 3 First Seen Thu 02 Jun 2011 09:46:26 AM EDT Last Seen Thu 02 Jun 2011 09:47:03 AM EDT Local ID 55954d8f-da11-4c9c-a742-7ea60535d1ec Raw Audit Messages type=AVC msg=audit(1307022423.187:116033): avc: denied { write } for pid=24918 comm="reports.cgi" name="graphs" dev=dm-0 ino=46274434 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:httpd_bugzilla_content_t:s0 tclass=dir type=SYSCALL msg=audit(1307022423.187:116033): arch=i386 syscall=open success=no exit=EACCES a0=a2430b0 a1=8241 a2=1b6 a3=0 items=0 ppid=4996 pid=24918 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=reports.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null) Hash: reports.cgi,httpd_bugzilla_script_t,httpd_bugzilla_content_t,dir,write audit2allow #============= httpd_bugzilla_script_t ============== #!!!! The source type 'httpd_bugzilla_script_t' can write to a 'dir' of the following types: # httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, tmp_t allow httpd_bugzilla_script_t httpd_bugzilla_content_t:dir write; audit2allow -R #============= httpd_bugzilla_script_t ============== #!!!! The source type 'httpd_bugzilla_script_t' can write to a 'dir' of the following types: # httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, tmp_t allow httpd_bugzilla_script_t httpd_bugzilla_content_t:dir write;
Can you tell bugzilla to write these graphs to /var/lib/bugzilla? That location should be installed: rpm -ql bugzilla
John did you customize this or did bugzilla want to be able to write to /usr/share/bugzilla/graphs by default?
I looked in the Bugzilla administration pages and in localconfig and checked the on line documentation for Bugzilla and found no reference to a location for graphs. By using find and grep I did find that 'graphsdir' => "$libpath/graphs" is set in /usr/share/bugzilla/Bugzilla/Constants.pm. I have made no changes to that file. Apparently, the /usr/share/bugzilla/graphs directory is the default as set up by the bugzilla package. I would think the package should be modified to use the /var/lib/bugzilla/graphs directory if that is the preferable location or selinux policy should allow writing to the default location. Either solution would be good, but manual intervention should not be needed to change the access to a default location in my opinion. In the meantime, I have created a local policy to allow perl write access to /usr/share/bugzilla/graphs.
rpm -ql bugzilla does not show a /usr/share/bugzilla/graphs. So how did it get there? $libpath should obviously not be /usr/share
I think I may have added the graphs directory, but my recollection of that is a bit fuzzy. There were some errors when running /usr/share/bugzilla/checksetup.pl as I remember it and I am pretty sure it was complaining about a missing directory. I was in a hurry, since I was updating a production system to FC14 and did not report that error on the bugzilla package.
There is not a /var/lib/bugzilla/graphs in the bugzilla package.
John, a better solution would be: semanage fcontext -a -t httpd_bugzilla_content_rw_t "/usr/share/bugzilla/graphs(/.*)?" restorecon -R -v /usr/share/bugzilla/graphs And to remove that custom loadable module that you have loaded into the system to allow this.
(In reply to comment #6) > There is not a /var/lib/bugzilla/graphs in the bugzilla package. I know but atleast bugzilla would have been able to create it there.
That may be true, but that is not where checksetup.pl was looking for it.
Yes and so this seems to be a bug in bugzilla and it is now re-assigned to the bugzilla component.
I have no problem using semanage to do that, but I just did what sealert said to do. I also have no problem with editing Constants.pm to make the graphs directory in /var/lib/bugzilla. Changing $libpath from being /usr/share would be problematic for all of bugzilla I think. grep '$libpath' /usr/share/bugzilla/Bugzilla/Constants.pm my $libpath = dirname(dirname($INC{'Bugzilla/Constants.pm'})); # We have to detaint $libpath, but we can't use Bugzilla::Util here. $libpath =~ /(.*)/; $libpath = $1; 'libpath' => $libpath, 'ext_libpath' => "$libpath/lib", 'cgi_path' => $libpath, 'templatedir' => "$libpath/template", 'skinsdir' => "$libpath/skins", 'graphsdir' => "$libpath/graphs", 'extensionsdir' => "$libpath/extensions",
Yes i understand. Unfortunately the report did not suggest the proper fix. Basically a bug in setroubleshoot-plugins.
Ughh, this is bug 564450 all over again. When we upstreamed the patch in question, we reverted the value $graphdirs back to its upstream default. I'll release a new version with $graphsdir = "/var/lib/bugzilla".
bugzilla-3.6.6-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/bugzilla-3.6.6-1.fc14
bugzilla-3.6.6-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/bugzilla-3.6.6-1.fc15
bugzilla-4.0.2-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/bugzilla-4.0.2-1.fc16
Package bugzilla-4.0.2-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing bugzilla-4.0.2-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/bugzilla-4.0.2-1.fc16 then log in and leave karma (feedback).
bugzilla-3.6.6-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-3.6.6-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
bugzilla-4.0.2-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.