AWStats Update-now link has permissions issues

Daniel J Walsh dwalsh at redhat.com
Wed Oct 24 18:05:15 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/24/2012 11:20 AM, Dan Thurman wrote:
> On 10/24/2012 07:49 AM, Dan Thurman wrote:
>> On 10/24/2012 06:30 AM, Daniel J Walsh wrote:
>>> Are you seeing any AVC messages?
>> Yes.  I thought I provided the AVC logs in the previous posting, unless
>> there is something else you require
> 
> Just in case you require the data from the audit logs directly. These AVC
> denials are generated only when the 'Update now" link is clicked.
> 
> # =============================================================== # The
> following is generated when awstats.pl tries to create a lock on 
> /tmp/awstat.<MyDomain>.lock # ONLY if the awstat config parameter
> EnableLockForUpdate=1 thus generates an AVC denial # and blocks Awstats
> update:
> 
> type=AVC msg=audit(1351027118.095:3168): avc:  denied  { write } for 
> pid=28438 comm="awstats.pl" name="tmp" dev=sda8 ino=1835010 
> scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> 
Thanks, Any reason this is creating the lock file in /tmp?  It seems to be
creating a guessable name, is this your local customization or the default?


> # =============================================================== # The
> following is generated when awstats.pl tries to access /var/log/access_log 
> # when EnableLockForUpdate=0 which means the lock code is bypassed but the 
> # next code step generates an AVC denial and blocks Awstats updates:
> 
> type=AVC msg=audit(1351022397.831:2991): avc:  denied  { read } for 
> pid=20931 comm="awstats.pl" name="access_log" dev=sda8 ino=6211707 
> scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 
> tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
> 
> # ===============================================================
> 
Is awstats supposed to read the access_log?


> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCILdsACgkQrlYvE4MpobPGTQCePXdjKfDGoojGfgU9cM6aXm+F
C7IAoNpLkyRoWe7dH0I3H7KD+JzotL5S
=wNDD
-----END PGP SIGNATURE-----

More information about the selinux mailing list