R P Herrold wrote:
On Mon, 28 Jan 2008, Tony Molloy wrote:
>> bug number, and which bugzilla Version, please; I am pretty
>> familiar with the code and packaging it, as I have done so
>> seperately from the EPEL effort for some time.
>
https://bugzilla.redhat.com/show_bug.cgi?id=429879
looks like some of the perl CGI scripts are not yet labelled properly to
co-exist with enforcing in this packaging -- at least index.cgi and
userprefs.cgi
The candidates to label are found with:
rpm -ql bugzilla | grep cgi
and we can see they are in:
/usr/share/bugzilla/
All should be labelled correctly:
# semanage fcontext -l | grep bugzilla
/var/lib/bugzilla(/.*)? all files
system_u:object_r:httpd_bugzilla_script_rw_t:s0
/usr/share/bugzilla(/.*)? directory
system_u:object_r:httpd_bugzilla_content_t:s0
/usr/share/bugzilla(/.*)? regular file
system_u:object_r:httpd_bugzilla_script_exec_t:s0
The obvious short term workaround pending the update is to drop to
permissive, which may or may not work in your environment.
Or add local policy to allow httpd_bugzilla_script_t to handle POSTed
data (which ends up as being httpd_tmp_t) properly, as mentioned on
fedora-selinux-list.
http://www.redhat.com/archives/fedora-selinux-list/2008-January/msg00146....
Paul.