AWStats

[Daniel J Walsh]

Steven Stromer wrote:
> Daniel J Walsh wrote:
>> Steven Stromer wrote:
>>
>>> Hi,
>>>
>>> A few weeks ago, I brought up a problem I was having with SELinux 
>>> and AWStats. I am hoping that someone may be able to help. From my 
>>> original post:
>>>
>>>> There exists an option in the web reporting pages called 'Update 
>>>> Now'. It allows you to update reports from the web server's logs 
>>>> without performing the log parsing from the command line. You must 
>>>> change the directive 'AllowToUpdateStatsFromBrowser' from 0 to 1 in 
>>>> your awstats .conf file to activate this practical feature. 
>>>> However, I have understand that the web-based update process needs 
>>>> access to the system's httpd access_log file (usually in 
>>>> /var/log/httpd). I have changed permissions on this file to 
>>>> httpd_sys_script_ra_t, but it was not sufficient to make the update 
>>>> feature work. 
>>>
>>>
>>> Also, the awstats.pl file has permissions:
>>> -rwxr-xr-x root root system_u:object_r:htpd_sys_script_exec_t 
>>> awstats.pl
>>>
>>> I can generate reports from the command line with no problem, but 
>>> the web based tool returns an error saying that I do not have proper 
>>> permissions.
>>>
>>> I found one reference to another user having the same problem. The 
>>> posting is minimal, but implies that 'touch /.autorelabel && 
>>> shutdown -r now' fixed the problem. I basically understand what this 
>>> command is intended to do, but I am concerned that executing it 
>>> might do more damage to files that I've chcon'ed in the past, than 
>>> it will fix.
>>>
>>> Any advise would be much appreciated. Please help!
>>
>> What avc messages are you seeing?  You should not need to relabel.  
>> But one file may be mislabeled or the policy may not allow it.  Look 
>> in /var/log/messages or /var/log/audit/audit.log for avc message.
>
> I've looked in both logs. Attempting to use the update feature in 
> AWStats does not write any error messages to either of these log 
> files. There are a few avc messages contained in each of the files, 
> but none pertain to this problem. Is there anywhere else I can look, 
> or does this indicated that the problem is not stemming from an 
> SELinux permission problem? Thanks again for the help!
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Usually you can see if it is an selinux problable, by temporarily 
turning off selinux protection.

setenforce 0
Try you http script.

setenforce 1

If it still breaks, it probably is not SELinux fault, if it works, it is 
probably selinux and you can turn up the auditing by installing policy 
sources

cd /etc/selinux/targeted/src/policy
make enableaudit; make load

Try it out, Look for avc messages.

make clean; make load

To reset to less auditing.

--