Steven Stromer wrote:
Daniel J Walsh wrote:
> Steven Stromer wrote:
>
>> Hi,
>>
>> A few weeks ago, I brought up a problem I was having with SELinux
>> and AWStats. I am hoping that someone may be able to help. From my
>> original post:
>>
>>> There exists an option in the web reporting pages called 'Update
>>> Now'. It allows you to update reports from the web server's logs
>>> without performing the log parsing from the command line. You must
>>> change the directive 'AllowToUpdateStatsFromBrowser' from 0 to 1 in
>>> your awstats .conf file to activate this practical feature.
>>> However, I have understand that the web-based update process needs
>>> access to the system's httpd access_log file (usually in
>>> /var/log/httpd). I have changed permissions on this file to
>>> httpd_sys_script_ra_t, but it was not sufficient to make the update
>>> feature work.
>>
>>
>> Also, the awstats.pl file has permissions:
>> -rwxr-xr-x root root system_u:object_r:htpd_sys_script_exec_t
>> awstats.pl
>>
>> I can generate reports from the command line with no problem, but
>> the web based tool returns an error saying that I do not have proper
>> permissions.
>>
>> I found one reference to another user having the same problem. The
>> posting is minimal, but implies that 'touch /.autorelabel &&
>> shutdown -r now' fixed the problem. I basically understand what this
>> command is intended to do, but I am concerned that executing it
>> might do more damage to files that I've chcon'ed in the past, than
>> it will fix.
>>
>> Any advise would be much appreciated. Please help!
>
> What avc messages are you seeing? You should not need to relabel.
> But one file may be mislabeled or the policy may not allow it. Look
> in /var/log/messages or /var/log/audit/audit.log for avc message.
I've looked in both logs. Attempting to use the update feature in
AWStats does not write any error messages to either of these log
files. There are a few avc messages contained in each of the files,
but none pertain to this problem. Is there anywhere else I can look,
or does this indicated that the problem is not stemming from an
SELinux permission problem? Thanks again for the help!
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list Usually you can see if
it is an selinux problable, by temporarily
turning off selinux protection.
setenforce 0
Try you http script.
setenforce 1
If it still breaks, it probably is not SELinux fault, if it works, it is
probably selinux and you can turn up the auditing by installing policy
sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
Try it out, Look for avc messages.
make clean; make load
To reset to less auditing.
--