AWStats Update-now link has permissions issues
Daniel J Walsh
dwalsh at redhat.com
Wed Oct 24 18:05:15 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/24/2012 11:20 AM, Dan Thurman wrote:
> On 10/24/2012 07:49 AM, Dan Thurman wrote:
>> On 10/24/2012 06:30 AM, Daniel J Walsh wrote:
>>> Are you seeing any AVC messages?
>> Yes. I thought I provided the AVC logs in the previous posting, unless
>> there is something else you require
>
> Just in case you require the data from the audit logs directly. These AVC
> denials are generated only when the 'Update now" link is clicked.
>
> # =============================================================== # The
> following is generated when awstats.pl tries to create a lock on
> /tmp/awstat.<MyDomain>.lock # ONLY if the awstat config parameter
> EnableLockForUpdate=1 thus generates an AVC denial # and blocks Awstats
> update:
>
> type=AVC msg=audit(1351027118.095:3168): avc: denied { write } for
> pid=28438 comm="awstats.pl" name="tmp" dev=sda8 ino=1835010
> scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>
Thanks, Any reason this is creating the lock file in /tmp? It seems to be
creating a guessable name, is this your local customization or the default?
> # =============================================================== # The
> following is generated when awstats.pl tries to access /var/log/access_log
> # when EnableLockForUpdate=0 which means the lock code is bypassed but the
> # next code step generates an AVC denial and blocks Awstats updates:
>
> type=AVC msg=audit(1351022397.831:2991): avc: denied { read } for
> pid=20931 comm="awstats.pl" name="access_log" dev=sda8 ino=6211707
> scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
> tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
>
> # ===============================================================
>
Is awstats supposed to read the access_log?
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCILdsACgkQrlYvE4MpobPGTQCePXdjKfDGoojGfgU9cM6aXm+F
C7IAoNpLkyRoWe7dH0I3H7KD+JzotL5S
=wNDD
-----END PGP SIGNATURE-----
More information about the selinux
mailing list