On 10/23/2012 01:31 PM, Dominick Grift wrote:
does it work in permissive mode? if so then do you see avc denials, can you enclose them? Clicking 'Update now' I get: {setenforce 0 or 1 flags AVC denials & setroubleshooter.} 1) AWStats config file: EnableLockForUpdate=1 Error: Failed to create lock file /tmp/awstats.<mydomain>.lock ================================================================ Summary: SELinux is preventing /usr/bin/perl "write" access on /tmp. Detailed Description: SELinux denied access requested by awstats.pl. It is not expected that this access is required by awstats.pl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:httpd_awstats_script_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ dir ] Source awstats.pl Source Path /usr/bin/perl Port <Unknown> Host <mydomain> Source RPM Packages perl-5.10.1-123.fc13 Target RPM Packages filesystem-2.4.31-1.fc13 Policy RPM selinux-policy-3.7.19-101.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name <mydomain> Platform Linux <mydomain> 2.6.34.9-69.fc13.i686 #1 SMP Tue May 3 09:20:30 UTC 2011 i686 i686 Alert Count 2 First Seen Tue 23 Oct 2012 12:31:25 PM PDT Last Seen Tue 23 Oct 2012 02:18:38 PM PDT Local ID 26bf7878-8dca-48c3-991e-13d87a87256c Line Numbers Raw Audit Messages node=<mydomain> type=AVC msg=audit(1351027118.95:3168): avc: denied { write } for pid=28438 comm="awstats.pl" name="tmp" dev=sda8 ino=1835010 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=<mydomain> type=SYSCALL msg=audit(1351027118.95:3168): arch=40000003 syscall=5 success=no exit=-13 a0=9e6a808 a1=8241 a2=1b6 a3=0 items=0 ppid=20402 pid=28438 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2 comm="awstats.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null) ================================================================ 2) AWStats config file: EnableLockForUpdate=0 Error: Couldn't open server log file "/var/log/httpd/access_log" : Permission denied Setup ('/etc/awstats/awstats.mydomain.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). ================================================================ Summary: SELinux is preventing /usr/bin/perl from using potentially mislabeled files /var/log/httpd/access_log. Detailed Description: SELinux has denied the awstats.pl access to potentially mislabeled files /var/log/httpd/access_log. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, etc_t, fonts_t, fonts_cache_t, ld_so_t, httpd_awstats_content_t, ld_so_cache_t, shell_exec_t, configfile, httpd_awstats_script_t, abrt_var_run_t, public_content_t, sysctl_crypto_t, abrt_t, lib_t, application_exec_type, exec_type, afs_cache_t, awstats_var_lib_t, abrt_helper_exec_t, chroot_exec_t, httpd_awstats_script_exec_t, public_content_rw_t, ld_so_t, bin_t, lib_t, textrel_shlib_t, rpm_script_tmp_t, locale_t, proc_t, etc_runtime_t, lib_t, usr_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/log/httpd/access_log so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/log/httpd/access_log'. where FILE_TYPE is one of the following: httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, etc_t, fonts_t, fonts_cache_t, ld_so_t, httpd_awstats_content_t, ld_so_cache_t, shell_exec_t, configfile, httpd_awstats_script_t, abrt_var_run_t, public_content_t, sysctl_crypto_t, abrt_t, lib_t, application_exec_type, exec_type, afs_cache_t, awstats_var_lib_t, abrt_helper_exec_t, chroot_exec_t, httpd_awstats_script_exec_t, public_content_rw_t, ld_so_t, bin_t, lib_t, textrel_shlib_t, rpm_script_tmp_t, locale_t, proc_t, etc_runtime_t, lib_t, usr_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_awstats_script_t:s0 Target Context system_u:object_r:httpd_log_t:s0 Target Objects /var/log/httpd/access_log [ file ] Source awstats.pl Source Path /usr/bin/perl Port <Unknown> Host <MyDomain> Source RPM Packages perl-5.10.1-123.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-101.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name <MyDomain> Platform Linux <MyDomain> 2.6.34.9-69.fc13.i686 #1 SMP Tue May 3 09:20:30 UTC 2011 i686 i686 Alert Count 1 First Seen Tue 23 Oct 2012 12:59:57 PM PDT Last Seen Tue 23 Oct 2012 12:59:57 PM PDT Local ID fbfdf21d-9107-4c18-9045-1e99fc58d39c Line Numbers Raw Audit Messages node=<MyDomain> type=AVC msg=audit(1351022397.831:2991): avc: denied { read } for pid=20931 comm="awstats.pl" name="access_log" dev=sda8 ino=6211707 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file node=<MyDomain> type=SYSCALL msg=audit(1351022397.831:2991): arch=40000003 syscall=5 success=no exit=-13 a0=98ebf08 a1=8000 a2=0 a3=0 items=0 ppid=20396 pid=20931 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2 comm="awstats.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null) ================================================================ |
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
