rpms/awstats/devel awstats.README.SELinux, NONE, 1.1 awstats.spec, 1.11, 1.12
Aurelien Bompard (abompard)
fedora-extras-commits at redhat.com
Wed Apr 12 19:16:45 UTC 2006
- Previous message (by thread): rpms/link-grammar/FC-4 .cvsignore, 1.3, 1.4 link-grammar.spec, 1.6, 1.7 sources, 1.3, 1.4
- Next message (by thread): rpms/link-grammar/FC-3 .cvsignore, 1.3, 1.4 link-grammar.spec, 1.3, 1.4 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: abompard
Update of /cvs/extras/rpms/awstats/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24814
Modified Files:
awstats.spec
Added Files:
awstats.README.SELinux
Log Message:
add selinux support
--- NEW FILE awstats.README.SELinux ---
==========================
SELinux support in AWStats
==========================
What is the problem ?
---------------------
AWStats is a CGI script, and needs to be labelled correctly to be called
from Apache.
The files in ``/usr/share/awstats/wwwroot/cgi-bin`` need to have the
``httpd_sys_script_exec_t`` type, and the databases files in
``/var/lib/awstats`` need to have the ``httpd_sys_script_rw_t`` type.
How do we solve it ?
--------------------
You can change the type with the ``chcon`` command::
chcon -R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin
chcon -R -t httpd_sys_script_rw_t /var/lib/awstats
But these modifications will be lost if the system is relabeled (you can
request a relabel with the system-config-security tool).
To make these changes permanent, this package sets the contexts by running
the following commands::
semanage fcontext -a -t httpd_sys_script_exec_t \
'/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'
Please send your bug reports (if any ;) ) to https://bugzilla.redhat.com
Index: awstats.spec
===================================================================
RCS file: /cvs/extras/rpms/awstats/devel/awstats.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- awstats.spec 9 Apr 2006 15:30:31 -0000 1.11
+++ awstats.spec 12 Apr 2006 19:16:45 -0000 1.12
@@ -7,13 +7,13 @@
URL: http://awstats.sourceforge.net
Source0: http://dl.sf.net/awstats/awstats-6.5.tar.gz
#Source0: http://awstats.sourceforge.net/files/awstats-6.5.tar.gz
+Source1: awstats.README.SELinux
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: httpd
Requires: perl
-Requires(post): perl
-Requires(postun): /sbin/service
-Requires(pre): policycoreutils
+Requires(post): perl, policycoreutils
+Requires(postun): /sbin/service, policycoreutils
%description
Advanced Web Statistics is a powerful and featureful tool that generates
@@ -31,18 +31,19 @@
With the default configuration, the statistics are available:
http://localhost/awstats/awstats.pl
+
%prep
%setup -q
-
# Fix style sheets.
perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
-
# Fix some bad file permissions here for convenience.
chmod -x tools/httpd_conf
find tools/xslt -type f | xargs chmod -x
-
# Remove \r in conf file (file written on MS Windows)
perl -pi -e 's/\r//g' tools/httpd_conf
+# SELinux README
+cp -a %{SOURCE1} README.SELinux
+
%install
rm -rf $RPM_BUILD_ROOT
@@ -80,7 +81,7 @@
### Commit permanent changes to default configuration
install -p -m 644 wwwroot/cgi-bin/awstats.model.conf \
$RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf
-%{__perl} -pi -e '
+perl -pi -e '
s|^LogFile=.*$|LogFile="%{_localstatedir}/log/httpd/access_log"|;
s|^DirData=.*$|DirData="%{_localstatedir}/lib/awstats"|;
s|^DirCgi=.*$|DirCgi="/awstats"|;
@@ -91,16 +92,17 @@
s|^SaveDatabaseFilesWithPermissionsForEveryone=.*$|SaveDatabaseFilesWithPermissionsForEveryone=0|;
s|^SkipHosts=.*$|SkipHosts="127.0.0.1"|;
s|^Expires=.*$|Expires=3600|;
- ' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf
+ ' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf
install -p -m 644 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.{model,localhost.localdomain}.conf
# Fix scripts
-%{__perl} -pi -e 's|/usr/local/awstats|%{_datadir}/awstats|g' \
+perl -pi -e 's|/usr/local/awstats|%{_datadir}/awstats|g' \
$RPM_BUILD_ROOT%{_datadir}/%{name}/tools/{*.pl,httpd_conf}
# Apache configuration
install -p -m 644 tools/httpd_conf $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
-%{__perl} -pi -e 's|/usr/local|%{_datadir}|g' $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
+perl -pi -e 's|/usr/local|%{_datadir}|g;s|Allow from all|Allow from 127.0.0.1|g' \
+ $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf
echo "# Additional Perl modules
<IfModule mod_env.c>
SetEnv PERL5LIB %{_datadir}/awstats/lib:%{_datadir}/awstats/plugins
@@ -114,13 +116,6 @@
rm -rf $RPM_BUILD_ROOT
-%pre
-# Set SELinux types
-semanage fcontext -a -t httpd_sys_script_exec_t \
- '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
-semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?' 2>/dev/null || :
-
-
%post
if [ $1 -eq 1 ]; then
if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then
@@ -130,18 +125,28 @@
' > %{_sysconfdir}/%{name}/%{name}.`hostname`.conf || :
fi
fi
+### SELinux support ###
+# Set SELinux file_context
+semanage fcontext -a -t httpd_sys_script_exec_t \
+ '%{_datadir}/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
+semanage fcontext -a -t httpd_sys_script_rw_t '%{_localstatedir}/lib/awstats(/.*)?' 2>/dev/null || :
+# Actually change the context
+chcon -R -t httpd_sys_script_exec_t %{_datadir}/awstats/wwwroot/cgi-bin
+chcon -R -t httpd_sys_script_rw_t %{_localstatedir}/lib/awstats
%postun
if [ $1 -ne 0 ]; then
/sbin/service httpd condrestart >/dev/null 2>&1
fi
+# SELinux support
if [ $1 -eq 0 ]; then
semanage fcontext -d -t httpd_sys_script_exec_t \
'/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
fi
+
%files
%defattr(-,root,root,755)
# Apache configuration file
@@ -155,7 +160,7 @@
%{_datadir}/%{name}/wwwroot/cgi-bin
# Different defattr to fix lots of files which should not be +x.
%defattr(644,root,root,755)
-%doc README.TXT docs/*
+%doc README.TXT docs/* README.SELinux
%{_datadir}/%{name}/lang
%{_datadir}/%{name}/lib
%{_datadir}/%{name}/plugins
@@ -164,9 +169,12 @@
%{_datadir}/%{name}/wwwroot/icon
%{_datadir}/%{name}/wwwroot/js
+
+
%changelog
* Sun Apr 09 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-3
- SELinux support: use semanage to label the cgi and the database files
+- Only allow access from localhost by default (this app has a security history)
* Thu Feb 23 2006 Aurelien Bompard <gauret[AT]free.fr> 6.5-2
- rebuild for FC5
- Previous message (by thread): rpms/link-grammar/FC-4 .cvsignore, 1.3, 1.4 link-grammar.spec, 1.6, 1.7 sources, 1.3, 1.4
- Next message (by thread): rpms/link-grammar/FC-3 .cvsignore, 1.3, 1.4 link-grammar.spec, 1.3, 1.4 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list