Bug 1520587
| Summary: | webalizer run by cron has issues with SELinux in /var/www/usage | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Vicente <vtorres> |
| Component: | webalizer | Assignee: | Sergio Basto <sergio> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 26 | CC: | jkaluza, jorton, sergio |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Windows | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-06 11:11:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1382785 *** |
Description of problem: When webalizer is run as a cron job to analyze squid logs and generate the output in /var/www/usage, it does not work. If I change SELinux mode from enforcing to permissive, the cron job works as expected. type=AVC msg=audit(1512207246.463:220): avc: denied { write } for pid=1353 comm="webalizer" name="usage" dev="dm-0" ino=8464194 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1512207246.463:221): avc: denied { add_name } for pid=1353 comm="webalizer" name="daily_usage_201711.png" scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1512207246.464:222): avc: denied { create } for pid=1353 comm="webalizer" name="daily_usage_201711.png" scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512207246.464:223): avc: denied { write open } for pid=1353 comm="webalizer" path="/var/www/usage/daily_usage_201711.png" dev="dm-0" ino=8646205 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512207246.464:224): avc: denied { getattr } for pid=1353 comm="webalizer" path="/var/www/usage/daily_usage_201711.png" dev="dm-0" ino=8646205 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512293042.049:277): avc: denied { getattr } for pid=2045 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512293042.050:278): avc: denied { write } for pid=2045 comm="webalizer" name="usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512293042.050:279): avc: denied { open } for pid=2045 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512379561.561:332): avc: denied { getattr } for pid=2775 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512379561.561:333): avc: denied { write } for pid=2775 comm="webalizer" name="usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1512379561.562:334): avc: denied { open } for pid=2775 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): Source RPM : webalizer-2.23_08-7.fc26.src.rpm Source RPM : selinux-policy-3.13.1-260.14.fc26.src.rpm Source RPM : squid-4.0.20-2.fc26.src.rpm Source RPM : httpd-2.4.29-1.fc26.src.rpm Source RPM : kernel-4.13.15-200.fc26.src.rpm How reproducible: 100% Steps to Reproduce: 1. Install and upgrade required packages with dnf: dnf upgrade dnf install squid dnf install webalizer 2. Configure services as needed (squid, httpd, webalizer) vi /etc/webalizer.conf #LogFile /var/log/httpd/access_log LogFile /var/log/squid/access.log LogType squid 3. Start and enable services systemctl start squid.service systemctl enable squid.service systemctl start httpd.service systemctl enable httpd.service 4. Enable webalizer in cron vi /etc/sysconfig/webalizer WEBALIZER_CRON=yes cat /etc/cron.daily/00webalizer #!/bin/bash NAME=webalizer [ -f /etc/sysconfig/$NAME ] || exit 0 source /etc/sysconfig/$NAME [ "z$WEBALIZER_CRON" != "zyes" ] && exit 0 exec /usr/bin/webalizer -Q Actual results: Failure to run by cron as noted above unless SELinux changed to permissive. Expected results: Should run as a cron job with SELinux mode is enforcing. Additional info: # ls -laZ /var/www drwxr-xr-x. 6 root root system_u:object_r:httpd_sys_content_t:s0 58 Nov 29 17:32 . drwxr-xr-x. 22 root root system_u:object_r:var_t:s0 4096 Nov 29 17:32 .. drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_script_exec_t:s0 6 Oct 25 08:01 cgi-bin drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 6 Oct 25 08:01 html drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 171 Nov 29 17:32 mrtg drwxr-xr-x. 2 webalizer root system_u:object_r:webalizer_rw_content_t:s0 4096 Dec 2 03:34 usage # ls -laZ /var/www/usage drwxr-xr-x. 2 webalizer root system_u:object_r:webalizer_rw_content_t:s0 4096 Dec 2 03:34 . drwxr-xr-x. 6 root root system_u:object_r:httpd_sys_content_t:s0 58 Nov 29 17:32 .. -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 2322 Dec 2 03:34 ctry_usage_201711.png -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 2310 Dec 2 03:34 ctry_usage_201712.png -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 2590 Dec 2 03:34 daily_usage_201711.png -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 2577 Dec 2 03:34 daily_usage_201712.png -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 1741 Dec 2 03:34 hourly_usage_201711.png -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 1836 Dec 2 03:34 hourly_usage_201712.png -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 4244 Dec 4 03:26 index.html -rw-r--r--. 1 webalizer root system_u:object_r:webalizer_rw_content_t:s0 1478 Mar 21 2008 msfree.png -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 48237 Dec 2 03:34 usage_201711.html -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 49800 Dec 2 03:34 usage_201712.html -rw-r--r--. 1 root root system_u:object_r:webalizer_rw_content_t:s0 2323 Dec 4 03:26 usage.png -rw-r--r--. 1 webalizer root system_u:object_r:webalizer_rw_content_t:s0 1253 Mar 21 2008 webalizer.png