Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 566513 - mailgraph-selinux does not work fine
Summary: mailgraph-selinux does not work fine
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: mailgraph
Version: el5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Bernard Johnson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-18 17:09 UTC by Stefano Biagiotti
Modified: 2011-08-18 00:30 UTC (History)
4 users (show)

Fixed In Version: mailgraph-1.14-8.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-17 04:51:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Stefano Biagiotti 2010-02-18 17:09:01 UTC 
Description:

I installed mailgraph-1.14-6.el5 and mailgraph-selinux-1.14-6.el5 from EPEL 5 testing repository.

Opening http://localhost/mailgraph/ with selinux in enforcing mode, I can't view the graph images as http://localhost/mailgraph/mailgraph.cgi?0-n .

-------------------------------

Steps to Reproduce:

1. # setenforce 1
2. # service httpd start
3. # service mailgraph start
4. # wget http://localhost/mailgraph/mailgraph.cgi?0-n
   --2010-02-18 12:17:38--  http://localhost/mailgraph/mailgraph.cgi?0-n
   Resolving localhost... 127.0.0.1
   Connecting to localhost|127.0.0.1|:80... connected.
   HTTP request sent, awaiting response... 500 Internal Server Error
   2010-02-18 12:17:38 ERROR 500: Internal Server Error.

--------------------------------

Actual results:

In /var/log/httpd/error_log:
[Thu Feb 18 12:21:17 2010] [error] [client 127.0.0.1] ERROR: opening '/var/lib/mailgraph/mailgraph.rrd': Permission denied
[Thu Feb 18 12:21:17 2010] [error] [client 127.0.0.1] Premature end of script headers: mailgraph.cgi

In /var/log/audit/audit.log:
type=AVC msg=audit(1266491858.707:87343): avc:  denied  { read } for  pid=22843 comm="mailgraph.cgi" name="mailgraph.rrd" dev=dm-0 ino=491781 scontext=root:system_r:httpd_mailgraph_script_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file

--------------------------------

NOTE: this bug should be filed against mailgraph-selinux, but it is not included in the "Component" list above.
Comment 1 Mark Chappell 2010-09-28 20:58:50 UTC 
Actually you filed this against the correct package, mailgraph-selinux is a sub-package of mailgraph.

What's happened is that mailgraph.rrd hasn't picked up the context it's supposed to have.  This is because fixfiles -R only acts upon the files that are owned by the rpm and the rrd file is being generated before the selinux module is installed.  What I can't spot is what's generating the rrd files...

The quick hack fix to get you up and running is simply :

restorecon -RvF /var/lib/mailgraph

This is possibly also the best bet as a fix in the post script too.


Mark
Comment 2 Fedora Update System 2010-10-02 13:29:26 UTC 
mailgraph-1.14-8.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5
Comment 3 Fedora Update System 2010-10-02 13:31:01 UTC 
mailgraph-1.14-8.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc14
Comment 4 Fedora Update System 2010-10-02 13:32:54 UTC 
mailgraph-1.14-8.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mailgraph-1.14-8.fc13
Comment 5 Fedora Update System 2010-10-02 19:50:39 UTC 
mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mailgraph'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/mailgraph-1.14-8.el5
Comment 6 Stefano Biagiotti 2010-10-12 15:51:36 UTC 
mailgraph-1.14-8.el5 and mailgraph-selinux-1.14-8.el5 from epel-testing work for me.

Thank you.
Comment 7 Fedora Update System 2010-10-17 04:51:26 UTC 
mailgraph-1.14-8.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-10-17 21:01:58 UTC 
mailgraph-1.14-8.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-10-18 05:44:02 UTC 
mailgraph-1.14-8.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Patrick 2011-08-18 00:01:19 UTC 
I just installed CentOS 6 x86_64 with mailgraph from EPEL:

$ rpm -qa | grep mailgraph
mailgraph-selinux-1.14-8.el6.noarch
mailgraph-1.14-8.el6.noarch

$ cat /etc/centos-release 
CentOS Linux release 6.0 (Final)

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

And with SELinux enabled browsing to http://host/mailgraph gives a 500 Internal Server Error but when I set SElinux to permissive it works fine.

The error in /var/log/httpd/error_log:

[Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] (13)Permission denied: exec of '/usr/share/mailgraph/mailgraph.cgi' failed
[Thu Aug 18 01:57:41 2011] [error] [client 10.0.0.135] Premature end of script headers: mailgraph.cgi

The error in /var/log/audit/audit.log
type=AVC msg=audit(1313625461.090:635): avc:  denied  { execute } for  pid=3696 comm="httpd" name="mailgraph.cgi" dev=sda2 ino=43519719 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1313625461.090:635): arch=c000003e syscall=59 success=no exit=-13 a0=7f994b14b130 a1=7f994b150ee8 a2=7f994b150f00 a3=7fffa58254a0 items=0 ppid=2970 pid=3696 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Also tried the restorecon trick mentioned above but did not seem to do anything.
$ sudo restorecon -RvF /var/lib/mailgraph
$

After the restorecon trick I still get the same error.
Comment 11 Patrick 2011-08-18 00:30:25 UTC 
I tried the changes from bz243302 and it still does not work.

With these applies:

$ sudo chcon -t httpd_sys_script_exec_t /usr/share/mailgraph/mailgraph.cgi
$ sudo chcon -R -t httpd_sys_script_ra_t /var/cache/mailgraph
$ sudo chcon -R -t httpd_sys_script_ra_t /var/lib/mailgraph

And with SELinux in permissive mode:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

I see this error in /var/log/audit/audit.log

type=AVC msg=audit(1313627079.285:995): avc:  denied  { setattr } for  pid=4748 comm="mailgraph.cgi" name="fontconfig" dev=sda2 ino=96731533 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1313627079.285:995): arch=c000003e syscall=90 success=no exit=-1 a0=e11140 a1=1ed a2=d a3=7ffff491fbe0 items=0 ppid=2976 pid=4748 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=11 comm="mailgraph.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

At least the chcon changes seem to have solved the errors in comment #10.

Please let me know if you need more information or would like me to test a new policy.
Note You need to log in before you can comment on or make changes to this bug.