Description of problem: All fcgi output goes to httpd error_log. There is some error in fcgi script causing failure. Version-Release number of selected component (if applicable): smokeping-2.6.8-1.fc17.noarch How reproducible: On every access to: http://localhost/smokeping/sm.cgi Steps to Reproduce: 1. yum install smokeping 2. service httpd start 3. service smokeping start 4. fix few selinux problems 3. service smokeping restart 5. $favourite_browser http://localhost/smokeping/sm.cgi Actual results: "Internal Server Error" in browser, and broken webpage in apache error_log Expected results: smokeping page to open in browser Additional info: It works using the plain /usr/share/smokeping/cgi/smokeping_cgi script in apache smokeping.conf file alias: ----------------------------------- ScriptAlias /smokeping/smo.cgi /usr/share/smokeping/cgi/smokeping_cgi ----------------------------------- This is the error_log content while accessing the page: ----------------------------------- [Mon Oct 22 14:29:50 2012] [warn] [client 127.0.0.1] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server [Mon Oct 22 14:29:50 2012] [error] [client 127.0.0.1] Premature end of script headers: smokeping.fcgi [Mon Oct 22 14:29:50 2012] smokeping.fcgi: ### assuming you are using an fping copy reporting in milliseconds Expires: Mon, 22 Oct 2012 11:34:50 GMT Date: Mon, 22 Oct 2012 11:29:50 GMT Content-length: 3190 Content-Type: text/html; charset=iso-8859-15 <?xml version="1.0" encoding="iso-8859-15"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HTML> <HEAD> <META HTTP-EQUIV="Cache-Control" content="no-cache"> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Refresh" CONTENT="300"> <TITLE>SmokePing Latency Page for Network Latency Grapher</TITLE> <STYLE type="text/css"> <!-- .menubar, .menubar a { color: white; text-decoration: none; } .menubar { background: #4c4c4c; } .menu, .menuitem, .menuopen, .menuactive { font-size: 10px; font-family: sans-serif; } .menuactive { background: white; } a.menulink { color: white; } a.menulinkactive { color: #1280d7; } a.menulinkactive:hover { color: #000000; } a.menulink:hover { color: #e0e0ff; } --> </STYLE> <script src="/smokeping/cropper/lib/prototype.js" type="text/javascript"></script> <script src="/smokeping/cropper/lib/scriptaculous.js?load=builder,effects,dragdrop" type="text/javascript"></script> <script src="/smokeping/cropper/cropper.js" type="text/javascript"></script> <script src="/smokeping/cropper/smokeping-zoom.js" type="text/javascript"></script> </HEAD> <BODY bgcolor="white"> <TABLE border="0" cellpadding="10" cellspacing="0"> <TR> <TD class="menubar" align="left" width="130" valign="top"> <P></P> <P><B>SmokePing Targets:</B> </P> <P><form method="get" action="" enctype="multipart/form-data" name="hswitch"> <div id='filter_title'><small>Filter:</small></div><div id='filter_text'><input type="text" name="filter" size="15" onchange="hswitch.submit()" /></div></form><br/><br/><table width="100%" class="menu" border="0" cellpadding="0" cellspacing="0"> <tr><td class="menuitem" colspan="2"> - <a class="menulink" HREF="?target=_charts">Charts</a> </td></tr> <tr><td class="menuitem" colspan="2"> - <a class="menulink" HREF="?target=Ping">Ikke</a> </td></tr> </table> </P> <br/> </td> <TD rowspan="2"></TD> <TD rowspan="2" valign="top"> <H1>Network Latency Grapher</H1> <P>Welcome to the SmokePing website of <b>Insert Company Name Here</b>. Here you will learn all about the latency of our network.</P> <P></P> <P></P> </TD> </TR> <tr> <td class="menubar" valign="bottom" width="130"> <p><small>Maintained by <br/><A href="mailto:root@localhost">Super User</A></small></p> <p><small>Running on <A HREF="http://oss.oetiker.ch/smokeping/counter.cgi/2.006008">SmokePing-2.6.8</A> by <A HREF="http://tobi.oetiker.ch/">Tobi Oetiker</A> and Niko Tyni</small></p> <P><A HREF="http://oss.oetiker.ch/smokeping/counter.cgi/2.006008"><img border="0" src="/smokeping/images/smokeping.png"></a></P> <P></P> <P><A HREF="http://oss.oetiker.ch/rrdtool/"><img border="0" src="/smokeping/images/rrdtool.png"></a></P> </TD> </tr> </TABLE> </BODY> </HTML> [Mon Oct 22 14:29:51 2012] [error] [client 127.0.0.1] File does not exist: /var/www/html/favicon.ico -----------------------------------
Thanks for your report. I am not able to reproduce this error, however I don't use selinux. Can you retry without selinux enabled just to check?
I have reported all selinux errors here: https://bugzilla.redhat.com/show_bug.cgi?id=868866 It is weird though. I dont' get any selinux alerts anymore, but the fcgi page won't work unless I set selinux to permissive. Setting it to permissive makes it work with no problem, but enforcing stops it. Neither one creates logs to audit.log anymore though. SELinux weirdness.
Is this still a issue or has selinux updates fixed this?
still an issue. works if setenforce 0 is given.
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Verified on RHEL 6.5 fully updated and using latest smokeping 2.6.9 from a recompiled FC21/Rawhide source package (slightly modified for systemd/tmpfiles uncompatibilities). The reason why you do not see the further AVC denials is tha you need to unmask them with: semodule --disable_dontaudit --build If you do so, you find the following is needed (created by audit2allow starting from your suggested rules in https://bugzilla.redhat.com/show_bug.cgi?id=868866 ): -------------------------------------------------------- module mysmokeping 10.0; require { type bin_t; type security_t; type httpd_smokeping_cgi_script_t; type smokeping_t; type httpd_t; type ping_t; class process { siginh noatsecure rlimitinh }; class capability { setuid net_raw }; class unix_stream_socket { shutdown ioctl getattr accept read write }; class file { read write execute open execute_no_trans }; class rawip_socket { write create }; } #============= httpd_smokeping_cgi_script_t ============== allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown read write }; allow httpd_smokeping_cgi_script_t self:capability { net_raw setuid }; allow httpd_smokeping_cgi_script_t self:rawip_socket { create write }; #============= httpd_t ============== allow httpd_t httpd_smokeping_cgi_script_t:process { siginh rlimitinh noatsecure }; allow httpd_t security_t:file { open read }; #============= smokeping_t ============== allow smokeping_t bin_t:file { read open execute execute_no_trans }; allow smokeping_t ping_t:process { siginh rlimitinh noatsecure }; -------------------------------------------------------- Maybe something similar is needed on Fedora (I did not test there). Note: to revert AVC masking you can simply issue a: semodule --build
Thanks Giuseppe!
What is state of this bug?
smokeping seems to work on my fedora 20, thanks.