AWStats
Daniel J Walsh
dwalsh at redhat.com
Thu Oct 27 20:05:19 UTC 2005
Steven Stromer wrote:
> Daniel J Walsh wrote:
>> Steven Stromer wrote:
>>
>>> Hi,
>>>
>>> A few weeks ago, I brought up a problem I was having with SELinux
>>> and AWStats. I am hoping that someone may be able to help. From my
>>> original post:
>>>
>>>> There exists an option in the web reporting pages called 'Update
>>>> Now'. It allows you to update reports from the web server's logs
>>>> without performing the log parsing from the command line. You must
>>>> change the directive 'AllowToUpdateStatsFromBrowser' from 0 to 1 in
>>>> your awstats .conf file to activate this practical feature.
>>>> However, I have understand that the web-based update process needs
>>>> access to the system's httpd access_log file (usually in
>>>> /var/log/httpd). I have changed permissions on this file to
>>>> httpd_sys_script_ra_t, but it was not sufficient to make the update
>>>> feature work.
>>>
>>>
>>> Also, the awstats.pl file has permissions:
>>> -rwxr-xr-x root root system_u:object_r:htpd_sys_script_exec_t
>>> awstats.pl
>>>
>>> I can generate reports from the command line with no problem, but
>>> the web based tool returns an error saying that I do not have proper
>>> permissions.
>>>
>>> I found one reference to another user having the same problem. The
>>> posting is minimal, but implies that 'touch /.autorelabel &&
>>> shutdown -r now' fixed the problem. I basically understand what this
>>> command is intended to do, but I am concerned that executing it
>>> might do more damage to files that I've chcon'ed in the past, than
>>> it will fix.
>>>
>>> Any advise would be much appreciated. Please help!
>>
>> What avc messages are you seeing? You should not need to relabel.
>> But one file may be mislabeled or the policy may not allow it. Look
>> in /var/log/messages or /var/log/audit/audit.log for avc message.
>
> I've looked in both logs. Attempting to use the update feature in
> AWStats does not write any error messages to either of these log
> files. There are a few avc messages contained in each of the files,
> but none pertain to this problem. Is there anywhere else I can look,
> or does this indicated that the problem is not stemming from an
> SELinux permission problem? Thanks again for the help!
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Usually you can see if it is an selinux problable, by temporarily
turning off selinux protection.
setenforce 0
Try you http script.
setenforce 1
If it still breaks, it probably is not SELinux fault, if it works, it is
probably selinux and you can turn up the auditing by installing policy
sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
Try it out, Look for avc messages.
make clean; make load
To reset to less auditing.
--
More information about the fedora-selinux-list
mailing list