Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452173 - awstats incompatible with selinux targeted policy on RHEL5.2
Summary: awstats incompatible with selinux targeted policy on RHEL5.2
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: awstats
Version: el5
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tim Jackson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-19 20:00 UTC by Ray Van Dolson
Modified: 2008-07-30 19:44 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-30 16:25:55 UTC


Attachments (Terms of Use)

Description Ray Van Dolson 2008-06-19 20:00:07 UTC
Description of problem:
I'm not sure if this is an awstats issue per say or something that needs to be
addressed upstream in the targeted policy.  Figured this would be a good place
to start.

awstats doesn't work "out of the box" with RHEL5

Version-Release number of selected component (if applicable):
awstats-6.7-2.el5
selinux-policy-targeted-2.4.6-137.el5
selinux-policy-2.4.6-137.el5


How reproducible:
At least once. :-)

Steps to Reproduce:
1. Install RHEL5.1 with SELinux enforcing.
2. Update to RHEL5.2 selinux policies
3. Install awstats
4. Generate reports
5. Attempt to view reports.
  
Actual results:
SELinux stops access.

Expected results:
Successful access.

Additional info:
There were two issues, (1) Apache wouldn't execute awstats.pl and (2) Apache
wasn't allowed to access data in /var/lib/awstats.

To resolve this I did the following:

# semanage fcontext -a -t httpd_sys_script_exec_t \
   ^/usr/share/awstats/wwwroot/cgi-bin(/.*)?'
# chcon -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin/aw*
# chcon -R -t httpd_sys_script_ro_t /var/lib/awstats

The suggestions made by audit2allow were too liberal IMO.

Should any of this be in the default policy?  Maybe a document describing the
necessary changes would be warranted?  Perhaps this issue doesn't exist in
Fedora, I haven't tried.

I can provide audit logs too (I think).  Let me know.

Comment 1 Tim Jackson 2008-07-13 11:56:31 UTC
Do you have awstats-selinux installed?

Comment 2 Ray Van Dolson 2008-07-13 15:07:08 UTC
Nope!  D'oh.  I had no idea that existed.

Maybe a mention of this package in a README.Fedora in the awstats package would
be nice?  I know I did a grep -i selinux /usr/share/doc/awstats-version/*, but
really I have no excuse for not doing a yum search awstats where I woulda found
it right away. :-(

PS: Do we really need to use httpd_sys_script_rw_t on /var/lib/awstats instead
of just httpd_sys_script_ro_t?  I've been using the ro version up until now
without issue.

Thanks and feel free to close this CLUELESSUSER :-)

Comment 3 Tim Jackson 2008-07-30 19:44:22 UTC
Not your fault, it's not that obvious. I will look at adding a doc.


Note You need to log in before you can comment on or make changes to this bug.