Bug 1009379

Summary: awstat's hourly job is NOT working when SELinux is enabled
Product: [Fedora] Fedora Reporter: Peter Hanecak <hany>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 19CC: casper, dominick.grift, dwalsh, hany, kvolny, liboska, lvrabec, mgrepl, mike, mikhail.kalenkov, plautrba, rpm
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-12 15:46:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
whole set of denial messagws from one unsucesfull awststs cron job with dontaudit disabled
none
Output from grep command none

Description Peter Hanecak 2013-09-18 10:17:22 UTC 
Description of problem:

I've installed AWStats to have some basic stats for the Apache webserver. CGI GUI is working but the statistics data is NOT updated nor any error is observed in logs.

/etc/cron.hourly/awstats is redirecting output to /dev/null .

When statistics updated is launched manually as root:

/usr/share/awstats/tools/awstats_updateall.pl now -configdir="/etc/awstats" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl"

statistic data is properly updated.

When I removed the /dev/null redirect, following was reported:

Running '"/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" -update -config=localhost.localdomain -configdir="/etc/awstats"' to update config localhost.localdomain
Error: AWStats database directory defined in config file by 'DirData' parameter (/var/lib/awstats) does not exist or is not writable.
Setup ('/etc/awstats/awstats.localhost.localdomain.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).


Version-Release number of selected component (if applicable):

awstats-7.1.1-2.fc19.noarch
selinux-policy-targeted-3.12.1-74.3.fc19.noarch


How reproducible:

Always.


Steps to Reproduce:
1. Install AWStats o the server.
2. Visit the website on the server at least once.
3. Wait for AWStats' hourly job to run.
4. Check AWStats' GUI and see if your visit from step 2 is reported.

Actual results:

Visit from step 2 (not any other) is NOT reported.


Expected results:

Visit from step 2 (and all others) IS reported.


Additional info:
Comment 1 Miroslav Grepl 2013-09-20 09:02:46 UTC 
Are you getting AVC msgs?

# ausearch -m avc
Comment 2 Peter Hanecak 2013-09-20 12:51:49 UTC 
No.

I do have some denials related to Munin, but no messages from awstats or cron.
Comment 3 Karel Volný 2013-09-24 15:32:46 UTC 
so ... what leads you into believing SELinux is the culprit here? does it work for you with selinux off?

btw, I've filed bug #1011599 for the logging issue
Comment 4 Peter Hanecak 2013-09-24 22:02:19 UTC 
(In reply to Karel Volný from comment #3)
> so ... what leads you into believing SELinux is the culprit here? does it
> work for you with selinux off?

Good question. It was a "theory" based on observing different results between "running manually" and "running as cronjob", remembering vaguely from the past that such behaviour was often caused by SElinux (different context for interactive session compared to cron deamon's context).

Plus message "Error: AWStats database directory defined in config file by 'DirData' parameter (/var/lib/awstats) does not exist or is not writable." also gave a clue as, when manually investigating:

a) directory clearly exists

b) is writable by root

c) hourly cron job is running (as far as I know) as root


To verify, I've disabled SElinux for one hour using `setenforce permissive`.

awstats is supposed to update stat data in /var/lib/awstats . Before, the data was not updated by cron job. With SElinux set to permissive mode, awstats update was successful and file in awstats got updated. With SElinux in full force again (`setenforce enforcing`), updates stopped working.

> btw, I've filed bug #1011599 for the logging issue

Thank you.
Comment 5 Karel Volný 2013-09-25 13:11:52 UTC 
thanks for testing

I did a different test and I have found that adding "touch /var/lib/awstats/test" into the cron script works - touch is able to create the file from the cronjob while awstats.pl is denied

btw, note that there are also some PAM issues with cronie, see bug #995590

if this is a selinux problem, it seems that some dontaudit rule hides it (have I already said that dontaudit is evil, evil, evil?)

according to http://danwalsh.livejournal.com/11673.html one possibility to disable dontaudit rules is to run

# semodule -DB

so ... after doing that, the denial should be visible in logs and so we can see what exactly goes wrong
Comment 6 Peter Hanecak 2013-09-25 14:13:58 UTC 
(In reply to Karel Volný from comment #5)
> thanks for testing
> 
> I did a different test and I have found that adding "touch
> /var/lib/awstats/test" into the cron script works - touch is able to create
> the file from the cronjob while awstats.pl is denied
> 
> btw, note that there are also some PAM issues with cronie, see bug #995590

I have cronie-1.4.10-5.fc19.x86_64 installed. I leave this at that for now ... see below.

> if this is a selinux problem, it seems that some dontaudit rule hides it
> (have I already said that dontaudit is evil, evil, evil?)

(+1) :)

> according to http://danwalsh.livejournal.com/11673.html one possibility to
> disable dontaudit rules is to run
> 
> # semodule -DB
> 
> so ... after doing that, the denial should be visible in logs and so we can
> see what exactly goes wrong

OK, I disabled dontaudit and here's what I got from one (still unsuccessful) run of awstats job:

type=SYSCALL msg=audit(1380117661.374:55768): arch=c000003e syscall=2 success=no exit=-13 a0=368e97c4af a1=80000 a2=1b6 a3=0 items=0 ppid=6846 pid=6848 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2327 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
...

(see attached file for the whole output)
Comment 7 Peter Hanecak 2013-09-25 14:14:56 UTC 
Created attachment 802876 [details]
whole set of denial messagws from one unsucesfull awststs cron job with dontaudit disabled
Comment 8 Karel Volný 2013-09-25 14:16:29 UTC 
ok, this is from my audit.log:

time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.242:188): arch=c000003e syscall=2 success=no exit=-13 a0=7f609f9754af a1=80000 a2=1b6 a3=7fffa31400a0 items=0 ppid=1266 pid=1267 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.242:188): avc:  denied  { read } for  pid=1267 comm="sh" name="meminfo" dev="proc" ino=4026532027 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.242:189): arch=c000003e syscall=4 success=no exit=-13 a0=261b040 a1=7fffa31400f0 a2=7fffa31400f0 a3=7fffa313fea0 items=0 ppid=1266 pid=1267 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.242:189): avc:  denied  { getattr } for  pid=1267 comm="sh" path="/root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.242:190): arch=c000003e syscall=4 success=no exit=-13 a0=4a7ef7 a1=7fffa3140190 a2=7fffa3140190 a3=7fffa313ff00 items=0 ppid=1266 pid=1267 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.242:190): avc:  denied  { search } for  pid=1267 comm="sh" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.270:191): arch=c000003e syscall=4 success=no exit=-13 a0=151da20 a1=7fff059211a0 a2=7fff059211a0 a3=0 items=0 ppid=1267 pid=1268 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.270:191): avc:  denied  { search } for  pid=1268 comm="awstats.pl" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.270:192): arch=c000003e syscall=4 success=no exit=-13 a0=1497a40 a1=7fff059210f0 a2=7fff059210f0 a3=0 items=0 ppid=1267 pid=1268 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.270:192): avc:  denied  { search } for  pid=1268 comm="awstats.pl" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.390:193): arch=c000003e syscall=4 success=no exit=-13 a0=14492f0 a1=12c6138 a2=12c6138 a3=0 items=0 ppid=1267 pid=1268 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.390:193): avc:  denied  { search } for  pid=1268 comm="awstats.pl" name="lib" dev="sda3" ino=269 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.394:194): arch=c000003e syscall=2 success=no exit=-13 a0=7f69adc914af a1=80000 a2=1b6 a3=7fffad73a3f0 items=0 ppid=1266 pid=1269 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.394:194): avc:  denied  { read } for  pid=1269 comm="sh" name="meminfo" dev="proc" ino=4026532027 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.395:195): arch=c000003e syscall=4 success=no exit=-13 a0=7f2040 a1=7fffad73a440 a2=7fffad73a440 a3=7fffad73a1f0 items=0 ppid=1266 pid=1269 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.395:195): avc:  denied  { getattr } for  pid=1269 comm="sh" path="/root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.395:196): arch=c000003e syscall=4 success=no exit=-13 a0=4a7ef7 a1=7fffad73a4e0 a2=7fffad73a4e0 a3=7fffad73a250 items=0 ppid=1266 pid=1269 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.395:196): avc:  denied  { search } for  pid=1269 comm="sh" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.422:197): arch=c000003e syscall=4 success=no exit=-13 a0=1d8baf0 a1=7fffd6e1c060 a2=7fffd6e1c060 a3=0 items=0 ppid=1269 pid=1270 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.422:197): avc:  denied  { search } for  pid=1270 comm="awstats.pl" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.422:198): arch=c000003e syscall=4 success=no exit=-13 a0=1d05be0 a1=7fffd6e1bfb0 a2=7fffd6e1bfb0 a3=0 items=0 ppid=1269 pid=1270 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.422:198): avc:  denied  { search } for  pid=1270 comm="awstats.pl" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.544:199): arch=c000003e syscall=4 success=no exit=-13 a0=1cd7ad0 a1=1b34138 a2=1b34138 a3=0 items=0 ppid=1269 pid=1270 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.544:199): avc:  denied  { search } for  pid=1270 comm="awstats.pl" name="lib" dev="sda3" ino=269 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.548:200): arch=c000003e syscall=2 success=no exit=-13 a0=7f0fca2ad4af a1=80000 a2=1b6 a3=7fff777aa0c0 items=0 ppid=1266 pid=1271 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.548:200): avc:  denied  { read } for  pid=1271 comm="sh" name="meminfo" dev="proc" ino=4026532027 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.548:201): arch=c000003e syscall=4 success=no exit=-13 a0=864040 a1=7fff777aa110 a2=7fff777aa110 a3=7fff777a9ec0 items=0 ppid=1266 pid=1271 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.548:201): avc:  denied  { getattr } for  pid=1271 comm="sh" path="/root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.548:202): arch=c000003e syscall=4 success=no exit=-13 a0=4a7ef7 a1=7fff777aa1b0 a2=7fff777aa1b0 a3=7fff777a9f20 items=0 ppid=1266 pid=1271 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.548:202): avc:  denied  { search } for  pid=1271 comm="sh" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.576:203): arch=c000003e syscall=4 success=no exit=-13 a0=16c1af0 a1=7fff94f0d4a0 a2=7fff94f0d4a0 a3=0 items=0 ppid=1271 pid=1272 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.576:203): avc:  denied  { search } for  pid=1272 comm="awstats.pl" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.576:204): arch=c000003e syscall=4 success=no exit=-13 a0=163bbe0 a1=7fff94f0d3f0 a2=7fff94f0d3f0 a3=0 items=0 ppid=1271 pid=1272 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.576:204): avc:  denied  { search } for  pid=1272 comm="awstats.pl" name="root" dev="sda3" ino=265 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Wed Sep 25 16:01:01 2013
type=SYSCALL msg=audit(1380117661.697:205): arch=c000003e syscall=4 success=no exit=-13 a0=160dad0 a1=146a138 a2=146a138 a3=0 items=0 ppid=1271 pid=1272 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=9 tty=(none) comm="awstats.pl" exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380117661.697:205): avc:  denied  { search } for  pid=1272 comm="awstats.pl" name="lib" dev="sda3" ino=269 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir



... WTH these are hidden rather than resolved? :-(
Comment 9 Miroslav Grepl 2013-09-30 15:10:04 UTC 
If you add a local policy from this AVC

type=AVC msg=audit(1380117661.697:205): avc:  denied  { search } for  pid=1272 comm="awstats.pl" name="lib" dev="sda3" ino=269 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

does it work?
Comment 10 Peter Hanecak 2013-10-02 13:01:38 UTC 
(In reply to Miroslav Grepl from comment #9)

> If you add a local policy from this AVC
> 
> type=AVC msg=audit(1380117661.697:205): avc:  denied  { search } for 
> pid=1272 comm="awstats.pl" name="lib" dev="sda3" ino=269
> scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> 
> does it work?

I've tried following:

cd /etc/selinux/targeted/modules/active/modules
grep awstat /var/log/audit/audit.log | grep "name..lib" | audit2allow -M awstatsfix
semodule -i awstatsfix.pp

and it failed with:

libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x646f6d0a (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/awstatsfix.te. (No such file or directory).
semodule:  Failed!



Additionaly I've tried also:

grep awstat /var/log/audit/audit.log | audit2allow -M awstatsfix
semodule -i awstatsfix.pp

and again failure:

libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x646f6d0a (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/awstatsfix.te. (No such file or directory).
semodule:  Failed!


Here my SElinux skills reached its peak so I'm not able to answer your question. :/
Comment 11 Mikhail Kalenkov 2014-01-06 10:28:13 UTC 
The same bug I observe on Fedora 20 fresh installation. 

I have www files in /srv/www directory. Some of them are owned by ordinary user.

Awstats worked fine in Fedora 18 and before. Starting with Fedora 19 awstats statistics is not updated from cron.
Comment 12 Matthieu Saulnier 2014-01-11 23:25:56 UTC 
Same problem on Fedora 19 server running:


kernel 3.12.6-200.fc19.x86_64
awstats-7.1.1-2.fc19.noarch
selinux-policy-targeted-3.12.1-74.16.fc19.noarch

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28


I've tried this and it works:


# semodule -DB
# ausearch -m avc -ts yesterday -te today
(when seeing output about awstats, rebuild the policy)
# semodule -B
# ausearch -m avc -ts yesterday -te today|grep awstats|grep AVC|grep -vE 'admin_home_t|proc_t' > avcawstats.txt
(see avcawstats.txt in attachment)
# cat avcawstats.txt | audit2allow -M awstats-cron-search-lib-fix
# semodule -i awstats-cron-search-lib-fix.pp


Then updates with cron works again
Thanks to you Peter, Miroslav and Karel for the temporary fix
Comment 13 Matthieu Saulnier 2014-01-11 23:29:31 UTC 
Created attachment 848773 [details]
Output from grep command
Comment 14 Peter Hanecak 2014-02-07 14:07:40 UTC 
Workaround:

a) login as root
b) crontab -e
c) put there following:

@hourly /usr/share/awstats/tools/awstats_updateall.pl now -configdir="/etc/awstats" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" >/dev/null

d) save
e) working as expected

(c) is essentially content of /etc/cron.hourly/awstats with "exec" stripped away.
Comment 15 Michael Cronenworth 2014-04-28 18:15:15 UTC 
Still occuring with selinux-policy-3.12.1-74.23.fc19.
Comment 16 Michael Cronenworth 2014-08-06 17:49:39 UTC 
Still occuring with selinux-policy-3.12.1-74.26.fc19.
Comment 17 Fedora End Of Life 2015-01-09 22:18:22 UTC 
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 18 Karel Volný 2015-01-12 13:13:30 UTC 
pls, can anyone retest and update the version eventually?

(I no longer have the original setup which led me to this bz)
Comment 19 Michael Cronenworth 2015-01-12 14:03:30 UTC 
F19 is still broken. F20+ is fixed.

Too late to do anything about F19.
Comment 20 Karel Volný 2015-01-12 15:46:47 UTC 
(In reply to Michael Cronenworth from comment #19)
> F20+ is fixed.

ok, so closing then, thanks

> Too late to do anything about F19.

not too late to run `fedora-upgrade` ;-)