Dear Mickey,
I noticed your post right before going to lunch. I was planning on
responding when I got back, but you beat me to the punch! Thanks for
your response. I believe that you are 90% of the way to your destination...
# ls -Z /usr/share/awstats/wwwroot/cgi-bin/
-rwxr-xr-x root root system_u:object_r:usr_t awredir.pl
-rwxr-xr-x root root system_u:object_r:usr_t awstats.pl
Changing the type gets the script running:
# chcon -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin/*
# ls -Z /usr/share/awstats/wwwroot/cgi-bin/
-rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
awredir.pl
-rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
awstats.pl
This is correct, so far.
However, the script reports an error.
Error: AWStats database directory defined in config file by 'DirData'
parameter (/var/lib/awstats) does not exist or is not writable.
# ls -Z /var/lib
...
drwxr-xr-x root root system_u:object_r:var_lib_t awstats
...
Changing the type allows the script to run:
# chcon -t httpd_sys_script_rw_t /var/lib/awstats
# ls -Z /var/lib
...
drwxr-xr-x root root system_u:object_r:httpd_sys_script_rw_t
awstats
...
You have changed the policy on the /var/lib/awstats folder, but not on
its contents, as you successfully did on the files in the cgi-bin,
above. In the case of the cgi-bin, it seems you achieved this with a
wildcard (*). Just chcon the contents (the actual AWStats databases) in
/var/lib/awstats, and you'll be good to go. You can do this one file at
a time, or by using a wildcard (*) as you did above, or, best of all,
recursively through the directory for all time, with:
chcon -R -h -t httpd_sys_script_ra_t /var/lib/awstats
This will make the existing contents of the directory, and any new
databases added to the directory in the future (db's for new virtual
hosts, for instance) properly permissioned, so long as future files
added to the directory are created properly.
(You might note that I recommended chcon'ing your awstats database
folder _ra_t, and not _rw_t, as you had done originally. This just
removes the right of awstats.pl to ever erase one of the databases.)
This should get your web reporting working. However, it does not resolve
the final issue, which I am still working out. There exists an option in
the web reporting pages called 'Update Now'. It allows you to update
reports from the web server's logs without performing the log parsing
from the command line. You must change the directive
'AllowToUpdateStatsFromBrowser' from 0 to 1 in your awstats .conf file
to activate this practical feature. However, I have found that the
web-based update process needs access to the system's httpd access_log
file (usually in /var/log/httpd). I have changed permissions on this
file to httpd_sys_script_ra_t, but it was not sufficient to make the
update feature work. Hopefully, someone will be able to help here. I'll
post if I get the answer.
Finally, I noticed that the changes to policy would not take until I
closed the browser window in which I was trying to access AWStats, and
reloaded it in a new window.
Hope this helps,
Steven Stromer
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
