Awstats search access denied

Geert Janssens geert at kobaltwit.be
Tue May 28 09:59:35 UTC 2013 

On Tuesday 28 May 2013 11:28:06 Dominick Grift wrote:
> On Tue, 2013-05-28 at 10:26 +0200, Geert Janssens wrote:
> > type=AVC msg=audit(1369468867.049:94733): avc:  denied  { search } for 
> > pid=7230 comm="awstats.pl" name="www" dev=xvda ino=5832775
> > scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
> > 
> > Next I'm confused with the labels. The file is labeled
> > system_u:object_r:httpd_log_t:s0, but the avc seems to complain about
> > system_u:object_r:httpd_sys_content_t:s0
> The awstats.pl command was trying to "traverse" the "(/var/)www"
> directory, which is labeled rightfully httpd_sys_content_t.
> 
> I can get all that information (and more) by analyzing the "type=AVC"
> line above.
> 
> Either you have "misconfigured" awstats (what business does awstats.pl
> have with webserver content?) or you need to adjust the policy to
> reflect your particular configuration

Thanks for spelling out the AVC for me. But what exactly does "traverse" mean in this context 
? Does it simply mean that awstats is trying to access a file somewhere in the tree below 
/var/www ? Or is it trying to read the contents of /var/www directly for some reason ?

This particular server is hosting websites for multiple clients. Each client has access (via ftps) 
to a subdirectory somewhere in /var/www. They can use this access to manage their websites.
In addition, to give each client access to the weblogs for his/her own website, we had decided 
to write logs per website to a log directory inside the client's hosting space. This directory is 
only accessible via ftps, not via http.

And that's why awstats needs access to /var/www. With the latest security updates something 
must have changed, because this configuration worked before I applied them.

But regardless of what worked before, what would you suggest as a solution for my situation ?

Geert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130528/200d14fd/attachment.html>

More information about the selinux mailing list