Issue 1113861
Created on 2005-02-01 10:36 by chrismacgregor, last changed 2005-02-01 21:16 by richard.
msg3362 |
Author: [hidden] (chrismacgregor) |
Date: 2005-02-01 10:36 |
|
On Fedora Core 3, with patches current as of 31 Jan
2005, I'm trying Roundup 0.7.11. I have selinux
enabled in targeted mode.
When I tried to access the web interface on my first
freshly set-up tracker, I got a Python traceback.
Knowing it might be selinux, I checked and found these
in /var/log/messages:
Feb 1 01:58:18 secure1 kernel:
audit(1107251898.241:0): avc: denied { getattr } for
pid=5772 exe=/usr/bin/python path=/var dev=hda3
ino=8191585 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
Feb 1 01:58:44 secure1 kernel:
audit(1107251924.762:0): avc: denied { getattr } for
pid=5773 exe=/usr/bin/python path=/var dev=hda3
ino=8191585 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
Feb 1 01:58:45 secure1 kernel:
audit(1107251925.180:0): avc: denied { write } for
pid=5773 exe=/usr/bin/python name=lock dev=hda3
ino=11116127
scontext=user_u:system_r:httpd_sys_script_t
tcontext=root:object_r:usr_t tclass=file
Now, obviously this is not really a bug in Roundup, but
it'd be super helpful if you guys could include a patch
or clue or something about how to tweak the policy file
to get things to work. If I figure it out I'll post an
update, but don't hold your breath - I have too much
going on to spend much time on this.
|
msg3363 |
Author: [hidden] (chrismacgregor) |
Date: 2005-02-01 11:25 |
|
Logged In: YES
user_id=980390
The following is a start. Now I'm stuck on a different
problem (can't seem to register a user), and getting no
selinux gripes.
Note, however, that
1. the following may well not be complete, since I've only
gotten to an empty issues list so far, and
2. the following is certainly using a shotgun to swat a fly
- someone who groks selinux can surely do a much better job.
I appended these lines to
/etc/selinux/targeted/src/policy/domains/program/apache.te,
and in /etc/selinux/targeted/src/policy ran "make load".
Note that I have
selinux-policy-targeted-sources-1.17.30-2.62.noarch.rpm
installed.
allow httpd_sys_script_t usr_t:file { read create write lock
rename };
allow httpd_sys_script_t usr_t:dir { search write add_name
remove_name };
allow httpd_sys_script_t src_t:dir { search };
allow httpd_sys_script_t var_t:dir getattr;
|
msg3364 |
Author: [hidden] (richard) |
Date: 2005-02-01 21:16 |
|
Logged In: YES
user_id=6405
This really isn't a bug, so I'm re-filing it as a feature request.
I'll be happy to work with you in figuring out any problems, but I
have absolutely no experience with selinux. I'm not even sure
what it is. Of course I'll also be happy to include documentation
in Roundup to help other people who wish to use it.
Do you get any sort of Roundup error when you try to register a
user? What exactly are the steps you take and the behaviour
you witness?
|
msg3365 |
Author: [hidden] (chrismacgregor) |
Date: 2005-02-01 22:08 |
|
Logged In: YES
user_id=980390
feature request: fair enough.
selinux: This is a big hairy security thing. See this URL
for info:
http://fedora.redhat.com/docs/selinux-faq/
I know little about it myself.
User registration issue: It just takes me back to the
trackers index. I get the email, and when I click the link
that also takes me to the trackers index. When I try to log
in, that, too, takes me to the trackers index (but I'm not
logged in). If I try the "Lost your login?" link and enter
the info, it has no idea who I am.
Feel free to try it yourself at:
http://secure1.DOMAINNAME.com/cgi-bin/roundup.cgi/bugs/
(substituting tigerwave for DOMAINNAME - trying to fool
the URL harvesting robots here).
|
msg3366 |
Author: [hidden] (anonymous) |
Date: 2005-02-01 22:23 |
|
Logged In: NO
[richard here]
Check to make sure TRACKER_WEB is set correctly in the config.
|
msg3367 |
Author: [hidden] (chrismacgregor) |
Date: 2005-02-02 01:31 |
|
Logged In: YES
user_id=980390
It is set thusly:
TRACKER_WEB =
'http://secure1.DOMAINNAME.com/cgi-bin/roundup.cgi/bugs/'
(again, substitute tigerwave where I wrote DOMAINNAME)
I also tried it without the "bugs/" at the end since I get
the same index screen if I go to that URL, but that didn't
seem to change anything at all.
|
|
Date |
User |
Action |
Args |
2005-02-01 10:36:25 | chrismacgregor | create | |
|