Hide Forgot
Description of problem: modified /etc/cron.daily/00webalizer to contain: #!/bin/bash # update access statistics for the web site if [ -s /var/log/squid/access.log ]; then (exec /usr/bin/webalizer -Q -c /var/log/squid/webalizer.conf) fi SELinux is preventing /usr/bin/webalizer from 'write' accesses on the file /var/log/squid/usage/index.html. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that webalizer should be allowed write access on the index.html file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep webalizer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:webalizer_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:squid_log_t:s0 Target Objects /var/log/squid/usage/index.html [ file ] Source webalizer Source Path /usr/bin/webalizer Port <Unknown> Host (removed) Source RPM Packages webalizer-2.23_05-7.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-73.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed Aug 21 19:27:58 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-08-28 03:29:02 NZST Last Seen 2013-08-28 03:29:02 NZST Local ID 75c7a9a8-ba30-480d-98c6-4bdeba06a81d Raw Audit Messages type=AVC msg=audit(1377617342.307:191): avc: denied { write } for pid=3244 comm="webalizer" name="index.html" dev="dm-1" ino=1065671 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:squid_log_t:s0 tclass=file type=SYSCALL msg=audit(1377617342.307:191): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff9ddf7e40 a1=241 a2=1b6 a3=4 items=0 ppid=3242 pid=3244 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=7 tty=(none) comm=webalizer exe=/usr/bin/webalizer subj=system_u:system_r:webalizer_t:s0-s0:c0.c1023 key=(null) Hash: webalizer,webalizer_t,squid_log_t,file,write Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.9-200.fc19.x86_64 type: libreport
What kind of logs does webalizer need to write to ? sesearch -A -s webalizer_t -c file -p write | grep open allow webalizer_t webalizer_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow webalizer_t webalizer_t : file { ioctl read write getattr lock append open } ; allow webalizer_t httpd_sys_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow webalizer_t anon_inodefs_t : file { ioctl read write getattr lock append open } ; allow webalizer_t webalizer_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow webalizer_t httpd_webalizer_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; Currently it is allowed to write to webalizer_tmp_t webalizer_t httpd_sys_content_t anon_inodefs_t webalizer_var_lib_t httpd_webalizer_content_t
Still the same issue with /var/log/squid. I see the correct path is /var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) I wrote additional comment in the second bug.