Hi.
I found that webalizer does not work from cron on FedoraCore2.
It seems that there is no policy for webalizer. I wrote policy for webalizer. I tested it from command line and cron. Please use.
(1) copy webalizer policies to policy source dir. #cp webalizer.te /etc/security/selinux/src/policy/domains/program #cp webalizer.fc /etc/security/selinux/src/policy/file_contexts/program
(2) append the following to /etc/security/selinux/src/policy/domains/program/apache.te .
r_dir_file(httpd_t,webalizer_usage_t)
(3) reload and relabel #cd /etc/security/selinux/src/policy/ #make reload #setfiles file_contexts/file_contexts /usr/bin /var /etc
Thank you.
--- Yuichi Nakamura Japan SELinux Users Group(JPSEG) http://www.selinux.gr.jp/
On Sun, 27 Jun 2004 21:33, Yuichi Nakamura himainu-ynakam@miomio.jp wrote:
I found that webalizer does not work from cron on FedoraCore2.
It seems that there is no policy for webalizer. I wrote policy for webalizer. I tested it from command line and cron. Please use.
I think you should use etc_domain(webalizer) instead of defining webalizer_conf_t and var_lib_domain(webalizer) instead of webalizer_write_t.
We could have /var/www/usage labelled as httpd_sys_content_t. That gives less types (less pain) for no significant decrease in security. I should probably make a similar change to calamaris_t.
For access to locale_t you want read_locale(webalizer_t).
As a general rule we don't want to allow any daemons access to the administrator console if we can avoid it. I'm not sure what the best thing to do for webalizer is in this regard.
I've made some minor changes, please check the attached files and tell me what you think.
PS I've been running webalizer in logrotate_t domain for a couple of years. This isn't ideal though as I needed to put some entries in custom.te for it - not something I could distribute. Having a webalizer_t is a good improvement.
I checked your changes and webalizer worked, thank you.
Russell Coker russell@coker.com.au wrote:
As a general rule we don't want to allow any daemons access to the administrator console if we can avoid it. I'm not sure what the best thing to do for webalizer is in this regard.
I am not sure. What can attacker do , when he obtains write access right to console file?
We could have /var/www/usage labelled as httpd_sys_content_t. That gives less types (less pain) for no significant decrease in security. I should probably make a similar change to calamaris_t.
I think we should pay attention when we give write access to homepage, because many users think homepage is important. In this configuration, if attacker has webalizer_t domain by some way, he can compromise whole homepages. And if administrator misconfigured /etc/webalizer.conf, homepages may be broken. I think we should give new type to /var/www/usage .
--- Yuichi Nakamura Japan SELinux Users Group(JPSEG) http://www.selinux.gr.jp/
selinux@lists.fedoraproject.org