https://bugzilla.redhat.com/show_bug.cgi?id=1553479
Bug ID: 1553479 Summary: SElinux denials on stock install Product: Fedora EPEL Version: el6 Component: bugzilla Assignee: itamar@ispbrasil.com.br Reporter: herrold@owlriver.com QA Contact: extras-qa@fedoraproject.org CC: bazanluis20@gmail.com, emmanuel@seyman.fr, itamar@ispbrasil.com.br, perl-devel@lists.fedoraproject.org
Description of problem:
SElinux denials on stock install
Version-Release number of selected component (if applicable):
bugzilla-3.4.14-2.el6.noarch
How reproducible:
install utterly stock with no local edits beyond setting up /etc/my.cnf and letting the bugzilla set up tool handle the database matters
when then going in as admin, and using the web interface to adjust parameters, I get:
type=AVC msg=audit(1520549558.851:1134): avc: denied { search } for pid=1957 comm="editparams.cgi" name="pki" dev=vda1 ino=131147 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir type=AVC msg=audit(1520549565.365:1141): avc: denied { search } for pid=1962 comm="admin.cgi" name="pki" dev=vda1 ino=131147 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
From past experience, I know this will be an iterative process (I will need to 'click around' to provoke more AVC's
I will supplement this bug as I proceed but it is the end of a local business day, and I wanted to capture this detail
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #1 from R P Herrold herrold@owlriver.com --- another symptom of the problem is the inability to save a cookie, and so having to repeatedly log in over and over again
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #2 from R P Herrold herrold@owlriver.com --- more seen
[Fri Mar 09 03:13:18 2018] [error] [client 180.76.15.155] PHP Notice: Use of undefined constant path - assumed 'path' in /var/www/html/template/header.php on line 323
[Fri Mar 09 03:13:18 2018] [error] [client 180.76.15.155] PHP Notice: Undefined offset: 6 in /var/www/html/template/presentationblock.php on line 27
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #3 from R P Herrold herrold@owlriver.com ---
Release of Bugzilla 5.1.2, 5.0.4, and 4.4.13 [ 2018 Feb 16 ] Release of Bugzilla 5.1.1, 5.0.3, and 4.4.12 [ 2016 May 16 ] Release of Bugzilla 5.0.2, 4.4.11 and 4.2.16 [ 2015 Dec 22 ]
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #4 from R P Herrold herrold@owlriver.com --- This is woefully stale
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #5 from R P Herrold herrold@owlriver.com --- @itamar@ispbrasil.com.br
I have gotten pretty deep, on EPEL 6 and EPEL 7 in uplifting the Bugzilla dependency chain, on the way to being able to get close to bugzilla CURRENT
Would you consider adding me (fedoraproject userid: herrold ) as a co-maintainer on the two EPEL branches?
-- Russ herrold
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #6 from R P Herrold herrold@owlriver.com --- To : itamar@ispbrasil.com.br Cc : Attchmnt: Subject : bugzilla in EPEL , ticket: 1553479 ----- Message Text -----
Hi
I filed https://bugzilla.redhat.com/show_bug.cgi?id=1553479
because the bugzilla version in EPEL 6 is throsing SELinux errors. Looking further, it is also very old, and has known CSS and related avenues for exploits
I am willing to co-maintain, but need for you to add me as such, for EPEL 6 and 7
Alternatively if you are no longer active with Fedoraproject, it may make sense to simply orphan it to me
I send this, starting (continuing really) the process under:
https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintain$
I would prefer not to do this more 'publicly' on the fedora-devel mailing list, but that appears to be the next step
-- Russ herrold
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
Emmanuel Seyman emmanuel@seyman.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |emmanuel@seyman.fr, | |xavier@bachelot.org
--- Comment #7 from Emmanuel Seyman emmanuel@seyman.fr --- Bugzilla on EPEL6 was maintained by xavierb (cc-ing), not itamar.
A while back, the RPMFusion guys asked me to build a package for current Bugzilla for EPEL7. I couldn't do it without upgrading packages in base so went for the copr route.
https://copr.fedorainfracloud.org/coprs/eseyman/bugzilla-5.0/
(yes, I'm aware 5.0.4 came out recently. I'll push out an update soon.)
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #8 from Itamar Reis Peixoto itamar@ispbrasil.com.br --- (In reply to Emmanuel Seyman from comment #7)
A while back, the RPMFusion guys asked me to build a package for current Bugzilla for EPEL7. I couldn't do it without upgrading packages in base so went for the copr route.
I think the correct thing todo is to retire bugzilla for el6 and el7 what do you think about ?
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
--- Comment #9 from Emmanuel Seyman emmanuel@seyman.fr --- (In reply to Itamar Reis Peixoto from comment #8)
I think the correct thing todo is to retire bugzilla for el6 and el7 what do you think about ?
Bugzilla was never in el7 but, yes, it should be retired in el6.
https://bugzilla.redhat.com/show_bug.cgi?id=1553479
Itamar Reis Peixoto itamar@ispbrasil.com.br changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2018-03-30 12:43:22
--- Comment #10 from Itamar Reis Peixoto itamar@ispbrasil.com.br --- bugzilla has been marked as dead.package for el6, closing this as won't fix, it's not possible to upgrade bugzilla to a newer version without upgrading el6 base packages.
perl-devel@lists.fedoraproject.org