R P Herrold wrote:
On Mon, 28 Jan 2008, Tony Molloy wrote:
bug number, and which bugzilla Version, please; I am pretty familiar with the code and packaging it, as I have done so seperately from the EPEL effort for some time.
looks like some of the perl CGI scripts are not yet labelled properly to co-exist with enforcing in this packaging -- at least index.cgi and userprefs.cgi
The candidates to label are found with: rpm -ql bugzilla | grep cgi and we can see they are in: /usr/share/bugzilla/
All should be labelled correctly:
# semanage fcontext -l | grep bugzilla /var/lib/bugzilla(/.*)? all files system_u:object_r:httpd_bugzilla_script_rw_t:s0 /usr/share/bugzilla(/.*)? directory system_u:object_r:httpd_bugzilla_content_t:s0 /usr/share/bugzilla(/.*)? regular file system_u:object_r:httpd_bugzilla_script_exec_t:s0
The obvious short term workaround pending the update is to drop to permissive, which may or may not work in your environment.
Or add local policy to allow httpd_bugzilla_script_t to handle POSTed data (which ends up as being httpd_tmp_t) properly, as mentioned on fedora-selinux-list.
http://www.redhat.com/archives/fedora-selinux-list/2008-January/msg00146.htm...
Paul.