Bug 1399501

Summary: Webalizer SELinux problem
Product: [Fedora] Fedora EPEL Reporter: Stanislav Studeny <studeny>
Component: webalizerAssignee: Sergio Basto <sergio>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: jcewing, jkaluza, jorton, lvrabec, mgrepl, mmalik, plautrba, pvrabec, sergio, ssekidde, studeny
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-20 16:50:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1393066    

Description Stanislav Studeny 2016-11-29 08:26:46 UTC 
Description of problem:
Webalizer automated cron job is not working and crashing with "Error: Can't change directory to /var/www/usage" when SELinux enabled. 

Files and directory are tagged correctly :
# ls -lZ /var/www | grep usage

drwxr-xr-x. webalizer webalizer system_u:object_r:webalizer_rw_content_t:s0 usage

# semanage fcontext -l | grep '/var/www' | grep 'usage'
/var/www/usage(/.*)?                               all files          system_u:object_r:webalizer_rw_content_t:s0


Version-Release number of selected component (if applicable):

semodule -l | grep webalizer

webalizer       1.13.0

How reproducible:
Install webalizer and enable cron job.

Additional info:

according to audit.log AVCs, audit2allow helped us to generate custom module with following content :

require {
        type webalizer_t;
        type webalizer_rw_content_t;
        class dir { write add_name };
        class file create;
        class file { write getattr open };
}

#============= webalizer_t ==============
allow webalizer_t webalizer_rw_content_t:file { write getattr open };
allow webalizer_t webalizer_rw_content_t:dir { write add_name };
allow webalizer_t webalizer_rw_content_t:file create;

I guess, that current webalizer module in version 1.13.0 is missing this rules.

Regards,
Stanislav
Comment 1 Milos Malik 2016-11-29 09:25:56 UTC 
Which version webalizer package did you use?
Comment 2 Stanislav Studeny 2016-11-29 09:30:39 UTC 
It is webalizer-2.23_08-1.el7
Comment 4 Joel C Ewing 2017-02-23 14:22:24 UTC 
See bug #1382785 under webalizer.  Obviously some better coordination between webalizer and selinux-policy support teams needed.  The obvious lack of such would explain why this particular problem has been around for years..

On my current f25 system  I don't see any allow rules at all for webalizer_rw_content_t, which as near as I can tell is only assigned to directory /var/www/usage and files/directories below that.   This is data intended to be served by apache httpd, so obviously httpd is going to require access, and possibly others that might be appropriate for /var/www data as well.   Those problems wouldn't have been reported because the only way currently to get webalizer running with selinux was to change /var/www/usage(/.*)? files to some other context before webalizer would even start from cron, so that change would have occurred before httpd had any data to serve. I know the webalizer web pages work with httpd plus from the webalizer_t domain if you manually assign /var/www/usage(/.*)? to httpd_sys_content_t, so those definitions are certainly sufficient although some of those might not be necessary.

See also the suggestion that there needs to be a file context rule for /etc/webalizer/(.+)  to assign webalizer_etc_t to files under the directory /etc/webalizer (but not the directory itself) to handle suggested customization practices for multiple webalizer runs under a single cron script.

I had naturally assumed (from 30+ years of mainframe experience including RACF) that surely the SELinux definitions relating to webalizer would either be supplied or driven from the webalizer side or at least done with their knowledge and input, but I think I'm beginning to grasp that at this stage it may still be selinux folks looking from the outside, making best guesses from external behavior what it may take for the application to work and writing all the definitions; and the webalizer folks don't even know they need to talk with you when a problem is encountered that is really an SELinux issue. 

From past experience, the webalizer-selinux issue with /var/www/usage was particulary insidious because webalizer first checked whether it would have write access (a question selinux-policy apparently allowed it to ask) and then baled out with an error without ever trying to write, so by default there was never any se alert, only an application error. and the problem always got reported as a webalizer issue.
Comment 5 Sergio Basto 2017-03-12 23:56:53 UTC 
Hi, 
What I can add to webalizer.spec ? 
I ** don't want understand how selinux works ** , I just want that you list me what we need to run on webalizer.spec: 

semanage fcontext -a -t webalizer_etc_t  '/etc/webalizer/(.+)'
restorecon -R -v /etc/webalizer/*

anything else ? please just send shells scripts, please .
Comment 6 Joel C Ewing 2017-03-13 03:20:36 UTC 
Sergio's Comment 5 comes from the context of webalizer bug #1382785  I'm the one who, as an affected user not a developer, tried to cross reference these two bugs together since they appear to be different parts of the same elephant.  My knowledge of what works as a circumvention comes from from my experience as a webalizer user and user of SELinux running with SELinux enabled.  I have no idea how cross-package issues are intended to be handled in the development arena when SELinux is involved, or what falls under the responsibility of those doing application package support versus those in SELinux support, or what is appropriate to include in an application package rpm spec file, or how to effect permanent changes in the selinux-policy package itself.

I am at this point inclined to guess/suspect that SELinux policy and SELinux file context "adjustments" may not be appropriate things to include in the webalizer package .spec file, but may more appropriately belong in selinux-policy package updates.

If that IS NOT correct, then webalizer support needs to be advised what they need to change in their package to correct their SELinux problem since they do not understand selinux.

If that IS correct, then selinux-policy needs to be updated to resolve these issues for a "permanent" fix of these webalizer SELinux issues, and the webalizer bug just needs to reference this bug and to indicate what commands can be used to provide a temporary manual circumvention until it is resolved by a future update to selinux-policy (or should that be selinux-policy-targeted -- not sure how all these selinux packages interrelate).

If people working with application package development have no understanding of how selinux issues can affect their package, or even who to communicate with to find how to resolve such issues, that is a problem.
Comment 7 Sergio Basto 2017-03-13 23:38:54 UTC 
(In reply to Joel C Ewing from comment #6)
OK , maybe Selinux team can help us , I suspect that webalizer problem also affect Fedora packages not just RHEL7 . The problem here maybe is that webalizer is not one RHEL package but one EPEL package , which is maintain by community of Fedora packagers, is not part of RHEL7 packages (IIRC is part of RHEL6).  
I disable selinux in all my machines, so it is hard to me test it , but I'd like support it, also may others distributions doesn't use selinux so I don't have any example ...
Comment 8 Joel C Ewing 2017-03-14 03:03:59 UTC 
Definitely affects Fedora systems and packages.  I am a Fedora user, not RHEL, currently on f25 and the problems under discussion have been around at least since f19.  

I understand there is a reluctance to embrace SELinux by long-term users of Linux -- my own son has been a Unix Sysadmin for several decades and has yet to enable selinux on his own home servers because he doesn't feel he has time to deal with any issues that change might cause.  

I on the other hand, having come from an IBM mainframe System Programmer and Security Administrator perspective, have used various flavors of Linux on my home machines for personal use for over 15 years, and finally settled on the Fedora distro precisely because it had SELinux.  As a mainframe security administrator, SELinux was appealing because it had the potential to overcome some of the more serious deficiencies of  Unix security, and because it is built around many concepts that have counterparts in the mainframe security world.
Comment 9 Lukas Vrabec 2017-03-21 16:15:02 UTC 
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of  the affected component. As a starting point you can use policy provided by selinux-policy package. For more details  about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.
Comment 10 Sergio Basto 2017-03-22 20:22:22 UTC 
Lukas Vrabec, Could you help ?  I won't fix it , because I don't user selinux neither have time to learn it .
Comment 11 Sergio Basto 2017-08-20 16:50:34 UTC 
duplicate is earlier bug

*** This bug has been marked as a duplicate of bug 1382785 ***