1520587 – webalizer run by cron has issues with SELinux in /var/www/usage

Bug 1520587 - webalizer run by cron has issues with SELinux in /var/www/usage

Summary: webalizer run by cron has issues with SELinux in /var/www/usage

Keywords:
Status:	CLOSED DUPLICATE of bug 1382785
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	webalizer
Sub Component:
Version:	26
Hardware:	x86_64
OS:	Windows
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Sergio Basto
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-04 19:25 UTC by Vicente
Modified:	2017-12-06 11:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-06 11:11:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vicente 2017-12-04 19:25:11 UTC

Description of problem:
When webalizer is run as a cron job to analyze squid logs and generate the output in /var/www/usage, it does not work. If I change SELinux mode from enforcing to permissive, the cron job works as expected.


type=AVC msg=audit(1512207246.463:220): avc:  denied  { write } for  pid=1353 comm="webalizer" name="usage" dev="dm-0" ino=8464194 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1512207246.463:221): avc:  denied  { add_name } for  pid=1353 comm="webalizer" name="daily_usage_201711.png" scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=dir permissive=1

type=AVC msg=audit(1512207246.464:222): avc:  denied  { create } for  pid=1353 comm="webalizer" name="daily_usage_201711.png" scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512207246.464:223): avc:  denied  { write open } for  pid=1353 comm="webalizer" path="/var/www/usage/daily_usage_201711.png" dev="dm-0" ino=8646205 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512207246.464:224): avc:  denied  { getattr } for  pid=1353 comm="webalizer" path="/var/www/usage/daily_usage_201711.png" dev="dm-0" ino=8646205 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512293042.049:277): avc:  denied  { getattr } for  pid=2045 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512293042.050:278): avc:  denied  { write } for  pid=2045 comm="webalizer" name="usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512293042.050:279): avc:  denied  { open } for  pid=2045 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512379561.561:332): avc:  denied  { getattr } for  pid=2775 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512379561.561:333): avc:  denied  { write } for  pid=2775 comm="webalizer" name="usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1

type=AVC msg=audit(1512379561.562:334): avc:  denied  { open } for  pid=2775 comm="webalizer" path="/var/www/usage/usage.png" dev="dm-0" ino=8666260 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:webalizer_rw_content_t:s0 tclass=file permissive=1



Version-Release number of selected component (if applicable):
Source RPM  : webalizer-2.23_08-7.fc26.src.rpm
Source RPM  : selinux-policy-3.13.1-260.14.fc26.src.rpm
Source RPM  : squid-4.0.20-2.fc26.src.rpm
Source RPM  : httpd-2.4.29-1.fc26.src.rpm
Source RPM  : kernel-4.13.15-200.fc26.src.rpm


How reproducible:
100%



Steps to Reproduce:
1. Install and upgrade required packages with dnf:
dnf upgrade
dnf install squid
dnf install webalizer

2. Configure services as needed (squid, httpd, webalizer)
vi /etc/webalizer.conf
   #LogFile        /var/log/httpd/access_log
   LogFile        /var/log/squid/access.log
   LogType         squid

3. Start and enable services
systemctl start squid.service
systemctl enable squid.service
systemctl start httpd.service
systemctl enable httpd.service

4. Enable webalizer in cron
vi /etc/sysconfig/webalizer
WEBALIZER_CRON=yes

cat /etc/cron.daily/00webalizer
#!/bin/bash
NAME=webalizer
[ -f /etc/sysconfig/$NAME ] || exit 0
source /etc/sysconfig/$NAME
[ "z$WEBALIZER_CRON" != "zyes" ] && exit 0
exec /usr/bin/webalizer -Q



Actual results:
Failure to run by cron as noted above unless SELinux changed to permissive.

Expected results:
Should run as a cron job with SELinux mode is enforcing.

Additional info:
# ls -laZ /var/www
drwxr-xr-x.  6 root      root system_u:object_r:httpd_sys_content_t:s0       58 Nov 29 17:32 .
drwxr-xr-x. 22 root      root system_u:object_r:var_t:s0                   4096 Nov 29 17:32 ..
drwxr-xr-x.  2 root      root system_u:object_r:httpd_sys_script_exec_t:s0    6 Oct 25 08:01 cgi-bin
drwxr-xr-x.  2 root      root system_u:object_r:httpd_sys_content_t:s0        6 Oct 25 08:01 html
drwxr-xr-x.  2 root      root system_u:object_r:httpd_sys_content_t:s0      171 Nov 29 17:32 mrtg
drwxr-xr-x.  2 webalizer root system_u:object_r:webalizer_rw_content_t:s0  4096 Dec  2 03:34 usage

# ls -laZ /var/www/usage
drwxr-xr-x. 2 webalizer root system_u:object_r:webalizer_rw_content_t:s0  4096 Dec  2 03:34 .
drwxr-xr-x. 6 root      root system_u:object_r:httpd_sys_content_t:s0       58 Nov 29 17:32 ..
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  2322 Dec  2 03:34 ctry_usage_201711.png
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  2310 Dec  2 03:34 ctry_usage_201712.png
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  2590 Dec  2 03:34 daily_usage_201711.png
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  2577 Dec  2 03:34 daily_usage_201712.png
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  1741 Dec  2 03:34 hourly_usage_201711.png
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  1836 Dec  2 03:34 hourly_usage_201712.png
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  4244 Dec  4 03:26 index.html
-rw-r--r--. 1 webalizer root system_u:object_r:webalizer_rw_content_t:s0  1478 Mar 21  2008 msfree.png
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0 48237 Dec  2 03:34 usage_201711.html
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0 49800 Dec  2 03:34 usage_201712.html
-rw-r--r--. 1 root      root system_u:object_r:webalizer_rw_content_t:s0  2323 Dec  4 03:26 usage.png
-rw-r--r--. 1 webalizer root system_u:object_r:webalizer_rw_content_t:s0  1253 Mar 21  2008 webalizer.png

Comment 1 Sergio Basto 2017-12-06 11:11:59 UTC


*** This bug has been marked as a duplicate of bug 1382785 ***

Note You need to log in before you can comment on or make changes to this bug.