Did anyone get awstats "Update now" button to work?
For me, awstats does not have permissions to access /tmp for locking (if enabled) and/or to open /var/log/httpd/access_log file in attempts to update the awstats data.
I am running selinux, but not certain it is an selinux issue...
does it work in permissive mode?
if so then do you see avc denials, can you enclose them?
On Tue, 2012-10-23 at 13:19 -0700, Dan Thurman wrote:
Did anyone get awstats "Update now" button to work?
For me, awstats does not have permissions to access /tmp for locking (if enabled) and/or to open /var/log/httpd/access_log file in attempts to update the awstats data.
I am running selinux, but not certain it is an selinux issue...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 10/23/2012 01:31 PM, Dominick Grift wrote:
does it work in permissive mode?
if so then do you see avc denials, can you enclose them?
Clicking 'Update now' I get: {setenforce 0 or 1 flags AVC denials & setroubleshooter.}
1) AWStats config file: EnableLockForUpdate=1
Error: Failed to create lock file /tmp/awstats.<mydomain>.lock
================================================================ Summary:
SELinux is preventing /usr/bin/perl "write" access on /tmp.
Detailed Description:
SELinux denied access requested by awstats.pl. It is not expected that this access is required by awstats.pl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report.
Additional Information:
Source Context unconfined_u:system_r:httpd_awstats_script_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ dir ] Source awstats.pl Source Path /usr/bin/perl Port <Unknown> Host <mydomain> Source RPM Packages perl-5.10.1-123.fc13 Target RPM Packages filesystem-2.4.31-1.fc13 Policy RPM selinux-policy-3.7.19-101.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name <mydomain> Platform Linux <mydomain> 2.6.34.9-69.fc13.i686 #1 SMP Tue May 3 09:20:30 UTC 2011 i686 i686 Alert Count 2 First Seen Tue 23 Oct 2012 12:31:25 PM PDT Last Seen Tue 23 Oct 2012 02:18:38 PM PDT Local ID 26bf7878-8dca-48c3-991e-13d87a87256c Line Numbers
Raw Audit Messages
node=<mydomain> type=AVC msg=audit(1351027118.95:3168): avc: denied { write } for pid=28438 comm="awstats.pl" name="tmp" dev=sda8 ino=1835010 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=<mydomain> type=SYSCALL msg=audit(1351027118.95:3168): arch=40000003 syscall=5 success=no exit=-13 a0=9e6a808 a1=8241 a2=1b6 a3=0 items=0 ppid=20402 pid=28438 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2 comm="awstats.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null) ================================================================
2) AWStats config file: EnableLockForUpdate=0
Error: Couldn't open server log file "/var/log/httpd/access_log" : Permission denied *Setup ('/etc/awstats/awstats.mydomain.conf' file, web server or permissions) may be wrong.* Check config file, permissions and AWStats documentation (in 'docs' directory).
================================================================ Summary:
SELinux is preventing /usr/bin/perl from using potentially mislabeled files /var/log/httpd/access_log.
Detailed Description:
SELinux has denied the awstats.pl access to potentially mislabeled files /var/log/httpd/access_log. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, etc_t, fonts_t, fonts_cache_t, ld_so_t, httpd_awstats_content_t, ld_so_cache_t, shell_exec_t, configfile, httpd_awstats_script_t, abrt_var_run_t, public_content_t, sysctl_crypto_t, abrt_t, lib_t, application_exec_type, exec_type, afs_cache_t, awstats_var_lib_t, abrt_helper_exec_t, chroot_exec_t, httpd_awstats_script_exec_t, public_content_rw_t, ld_so_t, bin_t, lib_t, textrel_shlib_t, rpm_script_tmp_t, locale_t, proc_t, etc_runtime_t, lib_t, usr_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/log/httpd/access_log so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/log/httpd/access_log'. where FILE_TYPE is one of the following: httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, etc_t, fonts_t, fonts_cache_t, ld_so_t, httpd_awstats_content_t, ld_so_cache_t, shell_exec_t, configfile, httpd_awstats_script_t, abrt_var_run_t, public_content_t, sysctl_crypto_t, abrt_t, lib_t, application_exec_type, exec_type, afs_cache_t, awstats_var_lib_t, abrt_helper_exec_t, chroot_exec_t, httpd_awstats_script_exec_t, public_content_rw_t, ld_so_t, bin_t, lib_t, textrel_shlib_t, rpm_script_tmp_t, locale_t, proc_t, etc_runtime_t, lib_t, usr_t. You can look at the httpd_selinux man page for additional information.
Additional Information:
Source Context unconfined_u:system_r:httpd_awstats_script_t:s0 Target Context system_u:object_r:httpd_log_t:s0 Target Objects /var/log/httpd/access_log [ file ] Source awstats.pl Source Path /usr/bin/perl Port <Unknown> Host <MyDomain> Source RPM Packages perl-5.10.1-123.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-101.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name <MyDomain> Platform Linux <MyDomain> 2.6.34.9-69.fc13.i686 #1 SMP Tue May 3 09:20:30 UTC 2011 i686 i686 Alert Count 1 First Seen Tue 23 Oct 2012 12:59:57 PM PDT Last Seen Tue 23 Oct 2012 12:59:57 PM PDT Local ID fbfdf21d-9107-4c18-9045-1e99fc58d39c Line Numbers
Raw Audit Messages
node=<MyDomain> type=AVC msg=audit(1351022397.831:2991): avc: denied { read } for pid=20931 comm="awstats.pl" name="access_log" dev=sda8 ino=6211707 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
node=<MyDomain> type=SYSCALL msg=audit(1351022397.831:2991): arch=40000003 syscall=5 success=no exit=-13 a0=98ebf08 a1=8000 a2=0 a3=0 items=0 ppid=20396 pid=20931 auid=500 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=2 comm="awstats.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_awstats_script_t:s0 key=(null) ================================================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/23/2012 04:19 PM, Dan Thurman wrote:
Did anyone get awstats "Update now" button to work?
For me, awstats does not have permissions to access /tmp for locking (if enabled) and/or to open /var/log/httpd/access_log file in attempts to update the awstats data.
I am running selinux, but not certain it is an selinux issue...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Are you seeing any AVC messages?
On 10/24/2012 07:49 AM, Dan Thurman wrote:
On 10/24/2012 06:30 AM, Daniel J Walsh wrote:
Are you seeing any AVC messages?
Yes. I thought I provided the AVC logs in the previous posting, unless there is something else you require
Just in case you require the data from the audit logs directly. These AVC denials are generated only when the 'Update now" link is clicked.
# =============================================================== # The following is generated when awstats.pl tries to create a lock on /tmp/awstat.<MyDomain>.lock # ONLY if the awstat config parameter EnableLockForUpdate=1 thus generates an AVC denial # and blocks Awstats update:
type=AVC msg=audit(1351027118.095:3168): avc: denied { write } for pid=28438 comm="awstats.pl" name="tmp" dev=sda8 ino=1835010 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
# =============================================================== # The following is generated when awstats.pl tries to access /var/log/access_log # when EnableLockForUpdate=0 which means the lock code is bypassed but the # next code step generates an AVC denial and blocks Awstats updates:
type=AVC msg=audit(1351022397.831:2991): avc: denied { read } for pid=20931 comm="awstats.pl" name="access_log" dev=sda8 ino=6211707 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
# ===============================================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/24/2012 11:20 AM, Dan Thurman wrote:
On 10/24/2012 07:49 AM, Dan Thurman wrote:
On 10/24/2012 06:30 AM, Daniel J Walsh wrote:
Are you seeing any AVC messages?
Yes. I thought I provided the AVC logs in the previous posting, unless there is something else you require
Just in case you require the data from the audit logs directly. These AVC denials are generated only when the 'Update now" link is clicked.
# =============================================================== # The following is generated when awstats.pl tries to create a lock on /tmp/awstat.<MyDomain>.lock # ONLY if the awstat config parameter EnableLockForUpdate=1 thus generates an AVC denial # and blocks Awstats update:
type=AVC msg=audit(1351027118.095:3168): avc: denied { write } for pid=28438 comm="awstats.pl" name="tmp" dev=sda8 ino=1835010 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Thanks, Any reason this is creating the lock file in /tmp? It seems to be creating a guessable name, is this your local customization or the default?
# =============================================================== # The following is generated when awstats.pl tries to access /var/log/access_log # when EnableLockForUpdate=0 which means the lock code is bypassed but the # next code step generates an AVC denial and blocks Awstats updates:
type=AVC msg=audit(1351022397.831:2991): avc: denied { read } for pid=20931 comm="awstats.pl" name="access_log" dev=sda8 ino=6211707 scontext=unconfined_u:system_r:httpd_awstats_script_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
# ===============================================================
Is awstats supposed to read the access_log?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Oct 24, 2012, at 4:10 PM, Dan Thurman wrote:
On 10/24/2012 11:05 AM, Daniel J Walsh wrote:
Is awstats supposed to read the access_log?
Yes. Awstats needs to read the access_log file so as to obtain new records in order to update it's own database.
Do you have standard awstat RPM or have you installed in manually? selinux-policy-targeted has wawstat module :
# semodule -l|grep awstat awstats 1.2.0
It works quite well for me, I had to add one rule :
domtrans_pattern(logrotate_t, awstats_exec_t, awstats_t)
because I want logrotate to call awstat before it rotates apache log files.
Regards, Vadym
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/24/2012 04:20 PM, Vadym Chepkov wrote:
On Oct 24, 2012, at 4:10 PM, Dan Thurman wrote:
On 10/24/2012 11:05 AM, Daniel J Walsh wrote:
Is awstats supposed to read the access_log?
Yes. Awstats needs to read the access_log file so as to obtain new records in order to update it's own database.
Do you have standard awstat RPM or have you installed in manually? selinux-policy-targeted has wawstat module :
# semodule -l|grep awstat awstats 1.2.0
It works quite well for me, I had to add one rule :
domtrans_pattern(logrotate_t, awstats_exec_t, awstats_t)
because I want logrotate to call awstat before it rotates apache log files.
Regards, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Current policy has F17/F18/RHEL7 Beta has
awstats_domtrans(logrotate_t)
We will back port to RHEL6.
On Oct 25, 2012, at 9:28 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/24/2012 04:20 PM, Vadym Chepkov wrote:
On Oct 24, 2012, at 4:10 PM, Dan Thurman wrote:
On 10/24/2012 11:05 AM, Daniel J Walsh wrote:
Is awstats supposed to read the access_log?
Yes. Awstats needs to read the access_log file so as to obtain new records in order to update it's own database.
Do you have standard awstat RPM or have you installed in manually? selinux-policy-targeted has wawstat module :
# semodule -l|grep awstat awstats 1.2.0
It works quite well for me, I had to add one rule :
domtrans_pattern(logrotate_t, awstats_exec_t, awstats_t)
because I want logrotate to call awstat before it rotates apache log files.
Regards, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Current policy has F17/F18/RHEL7 Beta has
awstats_domtrans(logrotate_t)
We will back port to RHEL6.
Just curious, is there a way to find "duplicate" or "redundancy" in my local modules? For instance, when this patch will find it's way into RHEL6, I will have this domain transition definition twice - in system module and in mine. How would I find those duplicates to clean it up?
On related note. Does selinux policy have a public read-only repository access? It would be a vary valuable learning tool.
Thanks, Vadym
On Thu, 2012-10-25 at 10:29 -0400, Vadym Chepkov wrote:
On Oct 25, 2012, at 9:28 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/24/2012 04:20 PM, Vadym Chepkov wrote:
On Oct 24, 2012, at 4:10 PM, Dan Thurman wrote:
On 10/24/2012 11:05 AM, Daniel J Walsh wrote:
Is awstats supposed to read the access_log?
Yes. Awstats needs to read the access_log file so as to obtain new records in order to update it's own database.
Do you have standard awstat RPM or have you installed in manually? selinux-policy-targeted has wawstat module :
# semodule -l|grep awstat awstats 1.2.0
It works quite well for me, I had to add one rule :
domtrans_pattern(logrotate_t, awstats_exec_t, awstats_t)
because I want logrotate to call awstat before it rotates apache log files.
Regards, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Current policy has F17/F18/RHEL7 Beta has
awstats_domtrans(logrotate_t)
We will back port to RHEL6.
Just curious, is there a way to find "duplicate" or "redundancy" in my local modules? For instance, when this patch will find it's way into RHEL6, I will have this domain transition definition twice - in system module and in mine. How would I find those duplicates to clean it up?
by comparing your local source policy module to the deployed policy source
On related note. Does selinux policy have a public read-only repository access? It would be a vary valuable learning tool.
http://git.fedorahosted.org/cgit/selinux-policy.git/
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On October 25, 2012 09:28:21 Daniel J Walsh wrote:
# semodule -l|grep awstat awstats 1.2.0
It works quite well for me, I had to add one rule :
domtrans_pattern(logrotate_t, awstats_exec_t, awstats_t)
because I want logrotate to call awstat before it rotates apache log files.
Regards, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Current policy has F17/F18/RHEL7 Beta has
awstats_domtrans(logrotate_t)
We will back port to RHEL6.
since we're on the subject of awstats...
AWstats has an option of "purging" log files which breaks (and probably rightly so) with default setup. I had to pop
module awstats-httpd-logs 1.1;
require { type httpd_log_t; type awstats_t; class file write; }
#============= awstats_t ============== allow awstats_t httpd_log_t:file write;
module into the setup. However given that we're dealing with "Standard function" of AWStats it would be nice to wrap it in conditional and throw in base policy.
Which really raises a question: should base policies (and modules) cover all aspects of "normal"/"legitimate" functionality of applications "out-of-the- box" or shall we expect it to cover only a subset? Is it SELinux's group role to suggest "insecure" practices that will not be covered by policies and probably should be discouraged irregardless of SELinux state (on or off)?
On Tue, 2012-10-30 at 13:30 -0600, Dmitry Makovey wrote:
allow awstats_t httpd_log_t:file write;
module into the setup. However given that we're dealing with "Standard function" of AWStats it would be nice to wrap it in conditional and throw in base policy.
Which really raises a question: should base policies (and modules) cover all aspects of "normal"/"legitimate" functionality of applications "out-of-the- box" or shall we expect it to cover only a subset? Is it SELinux's group role to suggest "insecure" practices that will not be covered by policies and probably should be discouraged irregardless of SELinux state (on or off)?
In my view ideally it should be transparent but in practice SELinux is also used to block "functionality" sometimes
A boolean for the above should be fine in my view
-- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245
Confidence is what you have before you understand the problem Woody Allen
When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
On October 30, 2012 20:45:37 Dominick Grift wrote:
On Tue, 2012-10-30 at 13:30 -0600, Dmitry Makovey wrote:
allow awstats_t httpd_log_t:file write;
module into the setup. However given that we're dealing with "Standard function" of AWStats it would be nice to wrap it in conditional and throw in base policy.
Which really raises a question: should base policies (and modules) cover all aspects of "normal"/"legitimate" functionality of applications "out-of-the- box" or shall we expect it to cover only a subset? Is it SELinux's group role to suggest "insecure" practices that will not be covered by policies and probably should be discouraged irregardless of SELinux state (on or off)?
In my view ideally it should be transparent but in practice SELinux is also used to block "functionality" sometimes
A boolean for the above should be fine in my view
should I drop request in RH bugzilla?
On Tue, 2012-10-30 at 16:14 -0600, Dmitry Makovey wrote:
On October 30, 2012 20:45:37 Dominick Grift wrote:
On Tue, 2012-10-30 at 13:30 -0600, Dmitry Makovey wrote:
allow awstats_t httpd_log_t:file write;
module into the setup. However given that we're dealing with "Standard function" of AWStats it would be nice to wrap it in conditional and throw in base policy.
Which really raises a question: should base policies (and modules) cover all aspects of "normal"/"legitimate" functionality of applications "out-of-the- box" or shall we expect it to cover only a subset? Is it SELinux's group role to suggest "insecure" practices that will not be covered by policies and probably should be discouraged irregardless of SELinux state (on or off)?
In my view ideally it should be transparent but in practice SELinux is also used to block "functionality" sometimes
A boolean for the above should be fine in my view
should I drop request in RH bugzilla?
If you want that feature to be available to the public then sure. It can't hurt to ask for a feature
-- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245
Confidence is what you have before you understand the problem Woody Allen
When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
On October 30, 2012 16:14:10 Dmitry Makovey wrote:
Which really raises a question: should base policies (and modules) cover all aspects of "normal"/"legitimate" functionality of applications "out-of-the- box" or shall we expect it to cover only a subset? Is it SELinux's group role to suggest "insecure" practices that will not be covered by policies and probably should be discouraged irregardless of SELinux state (on or off)?
In my view ideally it should be transparent but in practice SELinux is also used to block "functionality" sometimes
A boolean for the above should be fine in my view
should I drop request in RH bugzilla?
For continuity, and FYI:
https://bugzilla.redhat.com/show_bug.cgi?id=872345
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/24/2012 04:10 PM, Dan Thurman wrote:
On 10/24/2012 11:05 AM, Daniel J Walsh wrote:
Is awstats supposed to read the access_log?
Yes. Awstats needs to read the access_log file so as to obtain new records in order to update it's own database.
Added Fixes for selinux-policy-3.11.1-44.fc18
Will get them back ported to F17 and RHEL6.
On 10/25/2012 05:40 AM, Daniel J Walsh wrote:
On 10/24/2012 04:10 PM, Dan Thurman wrote:
On 10/24/2012 11:05 AM, Daniel J Walsh wrote:
Is awstats supposed to read the access_log?
Yes. Awstats needs to read the access_log file so as to obtain new
records
in order to update it's own database.
Added Fixes for selinux-policy-3.11.1-44.fc18
Will get them back ported to F17 and RHEL6.
Please ensure that awstats also needs permission to write in /tmp for file locking and for security relating to DDos attacks.
I am running F13, so can I have a fix (manual or otherwise) please?
Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/25/2012 09:26 AM, Dan Thurman wrote:
On 10/25/2012 05:40 AM, Daniel J Walsh wrote:
On 10/24/2012 04:10 PM, Dan Thurman wrote:
On 10/24/2012 11:05 AM, Daniel J Walsh wrote:
Is awstats supposed to read the access_log?
Yes. Awstats needs to read the access_log file so as to obtain new
records
in order to update it's own database.
Added Fixes for selinux-policy-3.11.1-44.fc18
Will get them back ported to F17 and RHEL6.
Please ensure that awstats also needs permission to write in /tmp for file locking and for security relating to DDos attacks.
I am running F13, so can I have a fix (manual or otherwise) please?
Thanks! -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
That is one of the fixes. Although you should update to an OS about 4 levels newer ...
selinux@lists.fedoraproject.org
-
Dan Thurman -
Daniel J Walsh -
Dmitry Makovey -
Dominick Grift -
Vadym Chepkov