On 10/23/2012 01:31 PM, Dominick Grift wrote:
does it work in permissive mode?
if so then do you see avc denials, can you enclose them?
Clicking 'Update now' I get:
{setenforce 0 or 1 flags AVC denials & setroubleshooter.}
1) AWStats config file: EnableLockForUpdate=1
Error: Failed to create lock file /tmp/awstats.<mydomain>.lock
================================================================
Summary:
SELinux is preventing /usr/bin/perl "write" access on /tmp.
Detailed Description:
SELinux denied access requested by awstats.pl. It is not expected that this
access is required by awstats.pl and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(
http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context
unconfined_u:system_r:httpd_awstats_script_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects /tmp [ dir ]
Source awstats.pl
Source Path /usr/bin/perl
Port <Unknown>
Host <mydomain>
Source RPM Packages perl-5.10.1-123.fc13
Target RPM Packages filesystem-2.4.31-1.fc13
Policy RPM selinux-policy-3.7.19-101.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name <mydomain>
Platform Linux <mydomain> 2.6.34.9-69.fc13.i686 #1 SMP
Tue May 3 09:20:30 UTC 2011 i686 i686
Alert Count 2
First Seen Tue 23 Oct 2012 12:31:25 PM PDT
Last Seen Tue 23 Oct 2012 02:18:38 PM PDT
Local ID 26bf7878-8dca-48c3-991e-13d87a87256c
Line Numbers
Raw Audit Messages
node=<mydomain> type=AVC msg=audit(1351027118.95:3168): avc: denied {
write } for pid=28438 comm="awstats.pl" name="tmp" dev=sda8
ino=1835010
scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=<mydomain> type=SYSCALL msg=audit(1351027118.95:3168):
arch=40000003 syscall=5 success=no exit=-13 a0=9e6a808 a1=8241 a2=1b6
a3=0 items=0 ppid=20402 pid=28438 auid=500 uid=48 gid=488 euid=48
suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2
comm="awstats.pl" exe="/usr/bin/perl"
subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null)
================================================================
2) AWStats config file: EnableLockForUpdate=0
Error: Couldn't open server log file "/var/log/httpd/access_log" :
Permission denied
*Setup ('/etc/awstats/awstats.mydomain.conf' file, web server or
permissions) may be wrong.*
Check config file, permissions and AWStats documentation (in 'docs'
directory).
================================================================
Summary:
SELinux is preventing /usr/bin/perl from using potentially mislabeled files
/var/log/httpd/access_log.
Detailed Description:
SELinux has denied the awstats.pl access to potentially mislabeled files
/var/log/httpd/access_log. This means that SELinux will not allow httpd
to use
these files. If httpd should be allowed this access to these files you
should
change the file context to one of the following types,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, etc_t, fonts_t,
fonts_cache_t, ld_so_t, httpd_awstats_content_t, ld_so_cache_t,
shell_exec_t,
configfile, httpd_awstats_script_t, abrt_var_run_t, public_content_t,
sysctl_crypto_t, abrt_t, lib_t, application_exec_type, exec_type,
afs_cache_t,
awstats_var_lib_t, abrt_helper_exec_t, chroot_exec_t,
httpd_awstats_script_exec_t, public_content_rw_t, ld_so_t, bin_t, lib_t,
textrel_shlib_t, rpm_script_tmp_t, locale_t, proc_t, etc_runtime_t, lib_t,
usr_t. Many third party apps install html files in directories that SELinux
policy cannot predict. These directories have to be labeled with a file
context
which httpd can access.
Allowing Access:
If you want to change the file context of /var/log/httpd/access_log so
that the
httpd daemon can access it, you need to execute it using semanage
fcontext -a -t
FILE_TYPE '/var/log/httpd/access_log'.
where FILE_TYPE is one of the following: httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, etc_t, fonts_t, fonts_cache_t, ld_so_t,
httpd_awstats_content_t, ld_so_cache_t, shell_exec_t, configfile,
httpd_awstats_script_t, abrt_var_run_t, public_content_t, sysctl_crypto_t,
abrt_t, lib_t, application_exec_type, exec_type, afs_cache_t,
awstats_var_lib_t,
abrt_helper_exec_t, chroot_exec_t, httpd_awstats_script_exec_t,
public_content_rw_t, ld_so_t, bin_t, lib_t, textrel_shlib_t,
rpm_script_tmp_t,
locale_t, proc_t, etc_runtime_t, lib_t, usr_t. You can look at the
httpd_selinux
man page for additional information.
Additional Information:
Source Context
unconfined_u:system_r:httpd_awstats_script_t:s0
Target Context system_u:object_r:httpd_log_t:s0
Target Objects /var/log/httpd/access_log [ file ]
Source awstats.pl
Source Path /usr/bin/perl
Port <Unknown>
Host <MyDomain>
Source RPM Packages perl-5.10.1-123.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-101.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name httpd_bad_labels
Host Name <MyDomain>
Platform Linux <MyDomain> 2.6.34.9-69.fc13.i686 #1 SMP
Tue May 3 09:20:30 UTC 2011 i686 i686
Alert Count 1
First Seen Tue 23 Oct 2012 12:59:57 PM PDT
Last Seen Tue 23 Oct 2012 12:59:57 PM PDT
Local ID fbfdf21d-9107-4c18-9045-1e99fc58d39c
Line Numbers
Raw Audit Messages
node=<MyDomain> type=AVC msg=audit(1351022397.831:2991): avc: denied {
read } for pid=20931 comm="awstats.pl" name="access_log" dev=sda8
ino=6211707 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
node=<MyDomain> type=SYSCALL msg=audit(1351022397.831:2991):
arch=40000003 syscall=5 success=no exit=-13 a0=98ebf08 a1=8000 a2=0 a3=0
items=0 ppid=20396 pid=20931 auid=500 uid=48 gid=488 euid=48 suid=48
fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2 comm="awstats.pl"
exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_awstats_script_t:s0
key=(null)
================================================================