Bug 175482

Summary: httpd isn't allowed to access webalizer files
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: cpebenito
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-02 17:26:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2005-12-11 18:31:32 UTC
Description of problem:
Per default, I'm not able to access webalizer files via httpd - but shouldn't be 
exactly this the case? At least webalizer generates statistics from httpd log 
files... ;-) 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.1.2-1

Actual results/Expected results:
I added the following rules solving this for my personal use, but maybe these 
could be added at upstream using a selinux boolean or similar?

allow httpd_t webalizer_var_lib_t:dir { getattr read search };
allow httpd_t webalizer_var_lib_t:file { getattr read };

Comment 1 Chris PeBenito 2005-12-13 15:54:10 UTC
From doing some testing on rawhide with the default configurations, I haven't
been able to reproduce this problem.  Webalizer can run from the command line or
from cron, and apache can read its output successfully.  Is this what you are
trying to do, or somthing different?

Comment 2 Robert Scheck 2005-12-13 23:25:28 UTC
Ush...I didn't recognize, that the default webalizer output directory changed to 
/var/www/usage very long time ago :(

But when you're already talking about webalizer and cron, there I get the 
following AVC message:

type=AVC msg=audit(1132538702.239:278): avc:  denied  { search } for  pid=15802 
comm="webalizer" name="root" dev=cciss/c0d0p2 ino=327681 scontext=root:system_r:
webalizer_t:s0-s0:c0.c255 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1132538702.239:278): arch=40000003 syscall=195 success=no 
exit=-2 a0=80606e6 a1=bf9f729c a2=25cff4 a3=bf9f729c items=1 pid=15802 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="webalizer" exe="/usr/bin/webalizer"
type=CWD msg=audit(1132538702.239:278):  cwd="/root"
type=PATH msg=audit(1132538702.239:278): item=0 name="webalizer.conf" flags=101

Comment 3 Daniel Walsh 2006-01-02 17:26:59 UTC
Fixed in selinux-policy-2.1.6-19