Bug 950300 - bugzilla-4.2.5-1.fc18.noarch throws AVC when trying to load
Summary: bugzilla-4.2.5-1.fc18.noarch throws AVC when trying to load
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 18
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-10 03:19 UTC by Kyle Brantley
Modified: 2013-04-18 02:53 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-18 02:53:15 UTC


Attachments (Terms of Use)

Description Kyle Brantley 2013-04-10 03:19:17 UTC
Description of problem:
The default install of the bugzilla RPM tries to access /etc/pki/tls/openssl.cnf once the page it loaded. This is denied under current policy.


Version-Release number of selected component (if applicable):
# rpm -qa | egrep 'bugzilla|selinux-policy|kernel-' | sort
bugzilla-4.2.5-1.fc18.noarch
kernel-3.8.3-203.fc18.x86_64
kernel-3.8.4-202.fc18.x86_64
kernel-3.8.5-201.fc18.x86_64
kernel-headers-3.8.5-201.fc18.x86_64
selinux-policy-3.11.1-86.fc18.noarch
selinux-policy-devel-3.11.1-86.fc18.noarch
selinux-policy-doc-3.11.1-86.fc18.noarch
selinux-policy-targeted-3.11.1-86.fc18.noarch


How reproducible:
100%

Steps to Reproduce:
1. Install bugzilla, and configure it via checksetup.pl.
2. Attempt to load bugzilla instance
  
Actual results:
HTTP 500 Internal Server Error

Expected results:
Functional bugzilla


Additional info:
# tail /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1365563353.993:3120): avc:  denied  { open } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563353.993:3121): avc:  denied  { getattr } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563839.416:3123): avc:  denied  { search } for  pid=7698 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563841.489:3124): avc:  denied  { search } for  pid=7700 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir

# tail /var/log/audit/audit.log | audit2allow


#============= httpd_bugzilla_script_t ==============
allow httpd_bugzilla_script_t cert_t:dir search;
allow httpd_bugzilla_script_t cert_t:file { getattr open };

Comment 1 Kyle Brantley 2013-04-10 03:26:43 UTC
Sorry, I missed a few AVCs:

# tail -n600 /var/log/audit/audit.log | grep AVC
type=USER_AVC msg=audit(1365563244.141:3111): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1365563244.141:3112): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1365563308.620:3117): avc:  denied  { search } for  pid=7566 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563314.490:3118): avc:  denied  { search } for  pid=7573 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563353.993:3120): avc:  denied  { read } for  pid=7587 comm="index.cgi" name="openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563353.993:3120): avc:  denied  { open } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563353.993:3121): avc:  denied  { getattr } for  pid=7587 comm="index.cgi" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365563839.416:3123): avc:  denied  { search } for  pid=7698 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365563841.489:3124): avc:  denied  { search } for  pid=7700 comm="index.cgi" name="pki" dev="dm-0" ino=1305633 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1365564174.257:3143): avc:  denied  { read } for  pid=7875 comm="index.cgi" name="openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1365564227.730:3145): avc:  denied  { read } for  pid=7896 comm="index.cgi" name="openssl.cnf" dev="dm-0" ino=1306061 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file


*** Resulting .te:

module bugzilla-certs 1.0;

require {
        type httpd_bugzilla_script_t;
        type cert_t;
        class dir search;
        class file { read getattr open };
}

#============= httpd_bugzilla_script_t ==============
allow httpd_bugzilla_script_t cert_t:dir search;
allow httpd_bugzilla_script_t cert_t:file read;
allow httpd_bugzilla_script_t cert_t:file { getattr open };

Comment 2 Miroslav Grepl 2013-04-10 14:38:23 UTC
Fixed in selinux-policy-3.11.1-89.fc18.noarch

Comment 3 Fedora Update System 2013-04-15 11:12:51 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 4 Kyle Brantley 2013-04-15 12:19:19 UTC
Tested, working great now. I've provided feedback on the build. Thanks!

Comment 5 Fedora Update System 2013-04-16 00:08:23 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2013-04-18 02:53:17 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.