Roundup Tracker - Issues

Issue 1113861

classification
selinux errors on python operations
Type: rfe Severity: normal
Components: None Versions:
process
Status: open
:
: richard : chrismacgregor, richard
Priority: normal :

Created on 2005-02-01 10:36 by chrismacgregor, last changed 2005-02-01 21:16 by richard.

Messages
msg3362 Author: [hidden] (chrismacgregor) Date: 2005-02-01 10:36
On Fedora Core 3, with patches current as of 31 Jan
2005, I'm trying Roundup 0.7.11.  I have selinux
enabled in targeted mode.

When I tried to access the web interface on my first
freshly set-up tracker, I got a Python traceback. 
Knowing it might be selinux, I checked and found these
in /var/log/messages:

Feb  1 01:58:18 secure1 kernel:
audit(1107251898.241:0): avc:  denied  { getattr } for
 pid=5772 exe=/usr/bin/python path=/var dev=hda3
ino=8191585 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
Feb  1 01:58:44 secure1 kernel:
audit(1107251924.762:0): avc:  denied  { getattr } for
 pid=5773 exe=/usr/bin/python path=/var dev=hda3
ino=8191585 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
Feb  1 01:58:45 secure1 kernel:
audit(1107251925.180:0): avc:  denied  { write } for 
pid=5773 exe=/usr/bin/python name=lock dev=hda3
ino=11116127
scontext=user_u:system_r:httpd_sys_script_t
tcontext=root:object_r:usr_t tclass=file

Now, obviously this is not really a bug in Roundup, but
it'd be super helpful if you guys could include a patch
or clue or something about how to tweak the policy file
to get things to work.  If I figure it out I'll post an
update, but don't hold your breath - I have too much
going on to spend much time on this.
msg3363 Author: [hidden] (chrismacgregor) Date: 2005-02-01 11:25
Logged In: YES 
user_id=980390

The following is a start.  Now I'm stuck on a different
problem (can't seem to register a user), and getting no
selinux gripes.

Note, however, that
1. the following may well not be complete, since I've only
gotten to an empty issues list so far, and
2. the following is certainly using a shotgun to swat a fly
- someone who groks selinux can surely do a much better job.

I appended these lines to
/etc/selinux/targeted/src/policy/domains/program/apache.te,
and in /etc/selinux/targeted/src/policy ran "make load". 
Note that I have
selinux-policy-targeted-sources-1.17.30-2.62.noarch.rpm
installed.

allow httpd_sys_script_t usr_t:file { read create write lock
rename };
allow httpd_sys_script_t usr_t:dir { search write add_name
remove_name };
allow httpd_sys_script_t src_t:dir { search };
allow httpd_sys_script_t var_t:dir getattr;
msg3364 Author: [hidden] (richard) Date: 2005-02-01 21:16
Logged In: YES 
user_id=6405

This really isn't a bug, so I'm re-filing it as a feature request. 
 
I'll be happy to work with you in figuring out any problems, but I 
have absolutely no experience with selinux. I'm not even sure 
what it is. Of course I'll also be happy to include documentation 
in Roundup to help other people who wish to use it. 
 
Do you get any sort of Roundup error when you try to register a 
user? What exactly are the steps you take and the behaviour 
you witness? 
 
msg3365 Author: [hidden] (chrismacgregor) Date: 2005-02-01 22:08
Logged In: YES 
user_id=980390

feature request: fair enough.

selinux: This is a big hairy security thing.  See this URL
for info:
    http://fedora.redhat.com/docs/selinux-faq/
I know little about it myself.

User registration issue: It just takes me back to the
trackers index.  I get the email, and when I click the link
that also takes me to the trackers index.  When I try to log
in, that, too, takes me to the trackers index (but I'm not
logged in).  If I try the "Lost your login?" link and enter
the info, it has no idea who I am.

Feel free to try it yourself at:
    http://secure1.DOMAINNAME.com/cgi-bin/roundup.cgi/bugs/
    (substituting tigerwave for DOMAINNAME - trying to fool
the URL harvesting robots here).
msg3366 Author: [hidden] (anonymous) Date: 2005-02-01 22:23
Logged In: NO 

[richard here] 
 
Check to make sure TRACKER_WEB is set correctly in the config. 
msg3367 Author: [hidden] (chrismacgregor) Date: 2005-02-02 01:31
Logged In: YES 
user_id=980390

It is set thusly:

TRACKER_WEB =
'http://secure1.DOMAINNAME.com/cgi-bin/roundup.cgi/bugs/'

(again, substitute tigerwave where I wrote DOMAINNAME)

I also tried it without the "bugs/" at the end since I get
the same index screen if I go to that URL, but that didn't
seem to change anything at all.
History
Date User Action Args
2005-02-01 10:36:25chrismacgregorcreate