<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
On 10/23/2012 01:31 PM, Dominick Grift wrote:
<blockquote cite="mid:1351024300.2774.4.camel@d30.localdomain"
type="cite">
<pre wrap="">does it work in permissive mode?
if so then do you see avc denials, can you enclose them?
</pre>
</blockquote>
<br>
Clicking 'Update now' I get:<br>
{setenforce 0 or 1 flags AVC denials & setroubleshooter.}<br>
<br>
1) AWStats config file: EnableLockForUpdate=1<br>
<span style="color: rgb(136, 0, 0);"><br>
Error: Failed to create lock file
/tmp/awstats.<mydomain>.lock</span><br>
<br>
================================================================<br>
Summary:<br>
<br>
SELinux is preventing /usr/bin/perl "write" access on /tmp.<br>
<br>
Detailed Description:<br>
<br>
SELinux denied access requested by awstats.pl. It is not expected
that this<br>
access is required by awstats.pl and this access may signal an
intrusion<br>
attempt. It is also possible that the specific version or
configuration of the<br>
application is causing it to require additional access.<br>
<br>
Allowing Access:<br>
<br>
You can generate a local policy module to allow this access - see
FAQ<br>
(<a class="moz-txt-link-freetext" href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385</a>) Please
file a bug<br>
report.<br>
<br>
Additional Information:<br>
<br>
Source Context
unconfined_u:system_r:httpd_awstats_script_t:s0<br>
Target Context system_u:object_r:tmp_t:s0<br>
Target Objects /tmp [ dir ]<br>
Source awstats.pl<br>
Source Path /usr/bin/perl<br>
Port <Unknown><br>
Host <mydomain><br>
Source RPM Packages perl-5.10.1-123.fc13<br>
Target RPM Packages filesystem-2.4.31-1.fc13<br>
Policy RPM selinux-policy-3.7.19-101.fc13<br>
Selinux Enabled True<br>
Policy Type targeted<br>
Enforcing Mode Enforcing<br>
Plugin Name catchall<br>
Host Name <mydomain><br>
Platform Linux <mydomain>
2.6.34.9-69.fc13.i686 #1 SMP<br>
Tue May 3 09:20:30 UTC 2011 i686 i686<br>
Alert Count 2<br>
First Seen Tue 23 Oct 2012 12:31:25 PM PDT<br>
Last Seen Tue 23 Oct 2012 02:18:38 PM PDT<br>
Local ID 26bf7878-8dca-48c3-991e-13d87a87256c<br>
Line Numbers <br>
<br>
Raw Audit Messages <br>
<br>
node=<mydomain> type=AVC msg=audit(1351027118.95:3168): avc:
denied { write } for pid=28438 comm="awstats.pl" name="tmp"
dev=sda8 ino=1835010
scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir<br>
<br>
node=<mydomain> type=SYSCALL msg=audit(1351027118.95:3168):
arch=40000003 syscall=5 success=no exit=-13 a0=9e6a808 a1=8241
a2=1b6 a3=0 items=0 ppid=20402 pid=28438 auid=500 uid=48 gid=488
euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none)
ses=2 comm="awstats.pl" exe="/usr/bin/perl"
subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null)<br>
================================================================<br>
<br>
<br>
<br>
2) AWStats config file: EnableLockForUpdate=0<br>
<br>
<span style="color: rgb(136, 0, 0);">Error: Couldn't open server
log file "/var/log/httpd/access_log" : Permission denied
</span><br>
<b>Setup ('/etc/awstats/awstats.mydomain.conf' file, web server or
permissions) may be wrong.</b><br>
Check config file, permissions and AWStats documentation (in 'docs'
directory).<br>
<br>
================================================================<br>
Summary:<br>
<br>
SELinux is preventing /usr/bin/perl from using potentially
mislabeled files<br>
/var/log/httpd/access_log.<br>
<br>
Detailed Description:<br>
<br>
SELinux has denied the awstats.pl access to potentially mislabeled
files<br>
/var/log/httpd/access_log. This means that SELinux will not allow
httpd to use<br>
these files. If httpd should be allowed this access to these files
you should<br>
change the file context to one of the following types,<br>
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, etc_t,
fonts_t,<br>
fonts_cache_t, ld_so_t, httpd_awstats_content_t, ld_so_cache_t,
shell_exec_t,<br>
configfile, httpd_awstats_script_t, abrt_var_run_t,
public_content_t,<br>
sysctl_crypto_t, abrt_t, lib_t, application_exec_type, exec_type,
afs_cache_t,<br>
awstats_var_lib_t, abrt_helper_exec_t, chroot_exec_t,<br>
httpd_awstats_script_exec_t, public_content_rw_t, ld_so_t, bin_t,
lib_t,<br>
textrel_shlib_t, rpm_script_tmp_t, locale_t, proc_t, etc_runtime_t,
lib_t,<br>
usr_t. Many third party apps install html files in directories that
SELinux<br>
policy cannot predict. These directories have to be labeled with a
file context<br>
which httpd can access.<br>
<br>
Allowing Access:<br>
<br>
If you want to change the file context of /var/log/httpd/access_log
so that the<br>
httpd daemon can access it, you need to execute it using semanage
fcontext -a -t<br>
FILE_TYPE '/var/log/httpd/access_log'.<br>
where FILE_TYPE is one of the following: httpd_awstats_ra_content_t,<br>
httpd_awstats_rw_content_t, etc_t, fonts_t, fonts_cache_t, ld_so_t,<br>
httpd_awstats_content_t, ld_so_cache_t, shell_exec_t, configfile,<br>
httpd_awstats_script_t, abrt_var_run_t, public_content_t,
sysctl_crypto_t,<br>
abrt_t, lib_t, application_exec_type, exec_type, afs_cache_t,
awstats_var_lib_t,<br>
abrt_helper_exec_t, chroot_exec_t, httpd_awstats_script_exec_t,<br>
public_content_rw_t, ld_so_t, bin_t, lib_t, textrel_shlib_t,
rpm_script_tmp_t,<br>
locale_t, proc_t, etc_runtime_t, lib_t, usr_t. You can look at the
httpd_selinux<br>
man page for additional information.<br>
<br>
Additional Information:<br>
<br>
Source Context
unconfined_u:system_r:httpd_awstats_script_t:s0<br>
Target Context system_u:object_r:httpd_log_t:s0<br>
Target Objects /var/log/httpd/access_log [ file ]<br>
Source awstats.pl<br>
Source Path /usr/bin/perl<br>
Port <Unknown><br>
Host <MyDomain><br>
Source RPM Packages perl-5.10.1-123.fc13<br>
Target RPM Packages <br>
Policy RPM selinux-policy-3.7.19-101.fc13<br>
Selinux Enabled True<br>
Policy Type targeted<br>
Enforcing Mode Enforcing<br>
Plugin Name httpd_bad_labels<br>
Host Name <MyDomain><br>
Platform Linux <MyDomain>
2.6.34.9-69.fc13.i686 #1 SMP<br>
Tue May 3 09:20:30 UTC 2011 i686 i686<br>
Alert Count 1<br>
First Seen Tue 23 Oct 2012 12:59:57 PM PDT<br>
Last Seen Tue 23 Oct 2012 12:59:57 PM PDT<br>
Local ID fbfdf21d-9107-4c18-9045-1e99fc58d39c<br>
Line Numbers <br>
<br>
Raw Audit Messages <br>
<br>
node=<MyDomain> type=AVC msg=audit(1351022397.831:2991): avc:
denied { read } for pid=20931 comm="awstats.pl" name="access_log"
dev=sda8 ino=6211707
scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
tcontext=system_u:object_r:httpd_log_t:s0 tclass=file<br>
<br>
node=<MyDomain> type=SYSCALL msg=audit(1351022397.831:2991):
arch=40000003 syscall=5 success=no exit=-13 a0=98ebf08 a1=8000 a2=0
a3=0 items=0 ppid=20396 pid=20931 auid=500 uid=48 gid=488 euid=48
suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2
comm="awstats.pl" exe="/usr/bin/perl"
subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null)<br>
================================================================<br>
</body>
</html>