On October 25, 2012 09:28:21 Daniel J Walsh wrote:
# semodule -l|grep awstat awstats 1.2.0
It works quite well for me, I had to add one rule :
domtrans_pattern(logrotate_t, awstats_exec_t, awstats_t)
because I want logrotate to call awstat before it rotates apache log files.
Regards, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Current policy has F17/F18/RHEL7 Beta has
awstats_domtrans(logrotate_t)
We will back port to RHEL6.
since we're on the subject of awstats...
AWstats has an option of "purging" log files which breaks (and probably rightly so) with default setup. I had to pop
module awstats-httpd-logs 1.1;
require { type httpd_log_t; type awstats_t; class file write; }
#============= awstats_t ============== allow awstats_t httpd_log_t:file write;
module into the setup. However given that we're dealing with "Standard function" of AWStats it would be nice to wrap it in conditional and throw in base policy.
Which really raises a question: should base policies (and modules) cover all aspects of "normal"/"legitimate" functionality of applications "out-of-the- box" or shall we expect it to cover only a subset? Is it SELinux's group role to suggest "insecure" practices that will not be covered by policies and probably should be discouraged irregardless of SELinux state (on or off)?