Steven Stromer wrote:
Daniel J Walsh wrote:
Steven Stromer wrote:
Hi,
A few weeks ago, I brought up a problem I was having with SELinux
and AWStats. I am hoping that someone may be able to help. From my
original post:
There exists an option in the web reporting pages called 'Update
Now'. It allows you to update reports from the web server's logs
without performing the log parsing from the command line. You must
change the directive 'AllowToUpdateStatsFromBrowser' from 0 to 1 in
your awstats .conf file to activate this practical feature.
However, I have understand that the web-based update process needs
access to the system's httpd access_log file (usually in
/var/log/httpd). I have changed permissions on this file to
httpd_sys_script_ra_t, but it was not sufficient to make the update
feature work.
Also, the awstats.pl file has permissions:
-rwxr-xr-x root root system_u:object_r:htpd_sys_script_exec_t
awstats.pl
I can generate reports from the command line with no problem, but
the web based tool returns an error saying that I do not have proper
permissions.
I found one reference to another user having the same problem. The
posting is minimal, but implies that 'touch /.autorelabel &&
shutdown -r now' fixed the problem. I basically understand what this
command is intended to do, but I am concerned that executing it
might do more damage to files that I've chcon'ed in the past, than
it will fix.
Any advise would be much appreciated. Please help!
What avc messages are you seeing? You should not need to relabel.
But one file may be mislabeled or the policy may not allow it. Look
in /var/log/messages or /var/log/audit/audit.log for avc message.
I've looked in both logs. Attempting to use the update feature in
AWStats does not write any error messages to either of these log
files. There are a few avc messages contained in each of the files,
but none pertain to this problem. Is there anywhere else I can look,
or does this indicated that the problem is not stemming from an
SELinux permission problem? Thanks again for the help!
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Usually you can see if it is an selinux problable, by temporarily
turning off selinux protection.
setenforce 0
Try you http script.
setenforce 1
If it still breaks, it probably is not SELinux fault, if it works, it is
probably selinux and you can turn up the auditing by installing policy
sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
Try it out, Look for avc messages.
make clean; make load
To reset to less auditing.
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
