AWStats Update-now link has permissions issues

Dan Thurman dant at cdkkt.com
Tue Oct 23 21:34:30 UTC 2012 

On 10/23/2012 01:31 PM, Dominick Grift wrote:
> does it work in permissive mode?
>
> if so then do you see avc denials, can you enclose them?

Clicking 'Update now' I get:
{setenforce 0 or 1 flags AVC denials & setroubleshooter.}

1) AWStats config file: EnableLockForUpdate=1

Error: Failed to create lock file /tmp/awstats.<mydomain>.lock

================================================================
Summary:

SELinux is preventing /usr/bin/perl "write" access on /tmp.

Detailed Description:

SELinux denied access requested by awstats.pl. It is not expected that this
access is required by awstats.pl and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context               
unconfined_u:system_r:httpd_awstats_script_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /tmp [ dir ]
Source                        awstats.pl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          <mydomain>
Source RPM Packages           perl-5.10.1-123.fc13
Target RPM Packages           filesystem-2.4.31-1.fc13
Policy RPM                    selinux-policy-3.7.19-101.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     <mydomain>
Platform                      Linux <mydomain> 2.6.34.9-69.fc13.i686 #1 SMP
                              Tue May 3 09:20:30 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Tue 23 Oct 2012 12:31:25 PM PDT
Last Seen                     Tue 23 Oct 2012 02:18:38 PM PDT
Local ID                      26bf7878-8dca-48c3-991e-13d87a87256c
Line Numbers                 

Raw Audit Messages           

node=<mydomain> type=AVC msg=audit(1351027118.95:3168): avc:  denied  {
write } for  pid=28438 comm="awstats.pl" name="tmp" dev=sda8 ino=1835010
scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir

node=<mydomain> type=SYSCALL msg=audit(1351027118.95:3168):
arch=40000003 syscall=5 success=no exit=-13 a0=9e6a808 a1=8241 a2=1b6
a3=0 items=0 ppid=20402 pid=28438 auid=500 uid=48 gid=488 euid=48
suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2
comm="awstats.pl" exe="/usr/bin/perl"
subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null)
================================================================



2) AWStats config file: EnableLockForUpdate=0

 Error: Couldn't open server log file "/var/log/httpd/access_log" :
Permission denied
*Setup ('/etc/awstats/awstats.mydomain.conf' file, web server or
permissions) may be wrong.*
Check config file, permissions and AWStats documentation (in 'docs'
directory).

================================================================
Summary:

SELinux is preventing /usr/bin/perl from using potentially mislabeled files
/var/log/httpd/access_log.

Detailed Description:

SELinux has denied the awstats.pl access to potentially mislabeled files
/var/log/httpd/access_log. This means that SELinux will not allow httpd
to use
these files. If httpd should be allowed this access to these files you
should
change the file context to one of the following types,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, etc_t, fonts_t,
fonts_cache_t, ld_so_t, httpd_awstats_content_t, ld_so_cache_t,
shell_exec_t,
configfile, httpd_awstats_script_t, abrt_var_run_t, public_content_t,
sysctl_crypto_t, abrt_t, lib_t, application_exec_type, exec_type,
afs_cache_t,
awstats_var_lib_t, abrt_helper_exec_t, chroot_exec_t,
httpd_awstats_script_exec_t, public_content_rw_t, ld_so_t, bin_t, lib_t,
textrel_shlib_t, rpm_script_tmp_t, locale_t, proc_t, etc_runtime_t, lib_t,
usr_t. Many third party apps install html files in directories that SELinux
policy cannot predict. These directories have to be labeled with a file
context
which httpd can access.

Allowing Access:

If you want to change the file context of /var/log/httpd/access_log so
that the
httpd daemon can access it, you need to execute it using semanage
fcontext -a -t
FILE_TYPE '/var/log/httpd/access_log'.
where FILE_TYPE is one of the following: httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, etc_t, fonts_t, fonts_cache_t, ld_so_t,
httpd_awstats_content_t, ld_so_cache_t, shell_exec_t, configfile,
httpd_awstats_script_t, abrt_var_run_t, public_content_t, sysctl_crypto_t,
abrt_t, lib_t, application_exec_type, exec_type, afs_cache_t,
awstats_var_lib_t,
abrt_helper_exec_t, chroot_exec_t, httpd_awstats_script_exec_t,
public_content_rw_t, ld_so_t, bin_t, lib_t, textrel_shlib_t,
rpm_script_tmp_t,
locale_t, proc_t, etc_runtime_t, lib_t, usr_t. You can look at the
httpd_selinux
man page for additional information.

Additional Information:

Source Context               
unconfined_u:system_r:httpd_awstats_script_t:s0
Target Context                system_u:object_r:httpd_log_t:s0
Target Objects                /var/log/httpd/access_log [ file ]
Source                        awstats.pl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          <MyDomain>
Source RPM Packages           perl-5.10.1-123.fc13
Target RPM Packages          
Policy RPM                    selinux-policy-3.7.19-101.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     <MyDomain>
Platform                      Linux <MyDomain> 2.6.34.9-69.fc13.i686 #1 SMP
                              Tue May 3 09:20:30 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Tue 23 Oct 2012 12:59:57 PM PDT
Last Seen                     Tue 23 Oct 2012 12:59:57 PM PDT
Local ID                      fbfdf21d-9107-4c18-9045-1e99fc58d39c
Line Numbers                 

Raw Audit Messages           

node=<MyDomain> type=AVC msg=audit(1351022397.831:2991): avc:  denied  {
read } for  pid=20931 comm="awstats.pl" name="access_log" dev=sda8
ino=6211707 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0
tcontext=system_u:object_r:httpd_log_t:s0 tclass=file

node=<MyDomain> type=SYSCALL msg=audit(1351022397.831:2991):
arch=40000003 syscall=5 success=no exit=-13 a0=98ebf08 a1=8000 a2=0 a3=0
items=0 ppid=20396 pid=20931 auid=500 uid=48 gid=488 euid=48 suid=48
fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2 comm="awstats.pl"
exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_awstats_script_t:s0
key=(null)
================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20121023/620d11e3/attachment.html>

More information about the selinux mailing list