Bug 1001805 - SELinux is preventing /usr/bin/webalizer from 'write' accesses on the directory /var/log/squid.
SELinux is preventing /usr/bin/webalizer from 'write' accesses on the directo...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:94dec72f845e17552af4369d3b3...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-27 15:41 EDT by Nivag
Modified: 2013-08-29 02:49 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-29 02:49:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nivag 2013-08-27 15:41:16 EDT
Description of problem:
modified /etc/cron.daily/00webalizer to contain:

#!/bin/bash
# update access statistics for the web site

if [ -s /var/log/squid/access.log ]; then
   (exec /usr/bin/webalizer -Q -c /var/log/squid/webalizer.conf)
fi
SELinux is preventing /usr/bin/webalizer from 'write' accesses on the directory /var/log/squid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that webalizer should be allowed write access on the squid directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep webalizer /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:webalizer_t:s0-s0:c0.c1023
Target Context                system_u:object_r:squid_log_t:s0
Target Objects                /var/log/squid [ dir ]
Source                        webalizer
Source Path                   /usr/bin/webalizer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           webalizer-2.23_05-7.fc19.x86_64
Target RPM Packages           squid-3.2.13-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed
                              Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-08-28 03:29:02 NZST
Last Seen                     2013-08-28 03:29:02 NZST
Local ID                      9f71c196-4020-4852-8773-b261b648b344

Raw Audit Messages
type=AVC msg=audit(1377617342.306:189): avc:  denied  { write } for  pid=3244 comm="webalizer" name="squid" dev="dm-1" ino=1056034 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1377617342.306:189): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff9ddf8e50 a1=241 a2=1b6 a3=30 items=0 ppid=3242 pid=3244 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=7 tty=(none) comm=webalizer exe=/usr/bin/webalizer subj=system_u:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)

Hash: webalizer,webalizer_t,squid_log_t,dir,write

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2013-08-28 04:59:41 EDT
Hi  Nivag,

Do you know, why is "webalizer.conf" saved in "/var/log/squid/" ?
Comment 2 Nivag 2013-08-28 06:45:14 EDT
I put it there, as the man page says:

       o       A default configuration file is  scanned  for.   A  file  named
               webalizer.conf is searched for in the current directory, and if
               found, and is owned by the invoking user, then  its  configura‐
               tion data is parsed.  If the file is not present in the current
               directory,  the file /etc/webalizer.conf is searched  for  and,
               if found, is used instead.
Comment 3 Lukas Vrabec 2013-08-28 07:56:11 EDT
Yes, I see. 
So, I would like to suggest you to move your configuration to /etc/webalizer.conf and use just this config file. How you can see, if webalizer can't find config file in current directory, will be used file /etc/webalizer.conf. 
If you don't do that, you can make your own selinux policy, but it's less safe than the first solution.
Comment 4 Daniel Walsh 2013-08-28 15:35:01 EDT
Well another option would be to put a label on this file that webalizer can write to.


If you change the label to webalizer_etc_t 

# semanage fcontext -a -t webalizer_etc_t /var/log/squid/webalizer.conf
# restorecon -R -v /var/log/squid
Comment 5 Nivag 2013-08-28 22:49:12 EDT
/usr/bin/webalizer needs 'write' access to directory /var/log/squid to update the files: webalizer.current & webalizer.hist, plus the usage directory.

So I should do the following:
semanage fcontext -a -t webalizer_etc_t /var/log/squid/webalizer.current
semanage fcontext -a -t webalizer_etc_t /var/log/squid/webalizer.hist
semanage fcontext -a -t webalizer_etc_t /var/log/squid/usage
restorecon -R -v /var/log/squid
Comment 6 Miroslav Grepl 2013-08-29 02:49:05 EDT
webalizer_etc_t won't work. 

$ sesearch -A -s webalizer_t -t webalizer_etc_t
Found 1 semantic av rules:
   allow webalizer_t webalizer_etc_t : file { ioctl read getattr lock open } ;

This is really weird to have it in this directory.

Could you move it to 

/var/lib/webalizer

Or you can leave it in /var/log/squid but you will need to run

# semanage permissive -a webalizer_t

re-test

# ausearch -m avc -ts recent |audit2allow -M mywebalizer
# semodule -i mywebalizer.pp
# semanage permissive -d webalizer_t

Note You need to log in before you can comment on or make changes to this bug.