I checked your changes and webalizer worked, thank you.
Russell Coker <russell(a)coker.com.au> wrote:
As a general rule we don't want to allow any daemons access to
the
administrator console if we can avoid it. I'm not sure what the best thing
to do for webalizer is in this regard.
I am not sure.
What can attacker do , when he obtains write access right to console file?
We could have /var/www/usage labelled as httpd_sys_content_t. That
gives less
types (less pain) for no significant decrease in security. I should probably
make a similar change to calamaris_t.
I think we should pay attention when we give
write access to homepage,
because many users think homepage is important.
In this configuration, if attacker has webalizer_t domain by some way,
he can compromise whole homepages.
And if administrator misconfigured /etc/webalizer.conf, homepages may be broken.
I think we should give new type to /var/www/usage .
---
Yuichi Nakamura
Japan SELinux Users Group(JPSEG)
http://www.selinux.gr.jp/