SELinux is preventing /usr/bin/perl from 'getattr' accesses on the file /var/log/squid/access.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed getattr access on the access.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep awstats.pl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:awstats_t:s0-s0:c0.c1023 Target Context system_u:object_r:squid_log_t:s0 Target Objects /var/log/squid/access.log [ file ] Source awstats.pl Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.12.3-141.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-25.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sun 30 Jan 2011 03:01:02 PM WIT Last Seen Sun 30 Jan 2011 03:01:02 PM WIT Local ID ddb42a89-0c76-4c8d-99ff-33d5002b8677 Raw Audit Messages type=AVC msg=audit(1296374462.77:24980): avc: denied { getattr } for pid=19632 comm="awstats.pl" path="/var/log/squid/access.log" dev=dm-4 ino=263089 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=file type=SYSCALL msg=audit(1296374462.77:24980): arch=x86_64 syscall=fstat success=yes exit=0 a0=4 a1=cda0a8 a2=cda0a8 a3=7fff96fb7ec0 items=0 ppid=19631 pid=19632 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=139 comm=awstats.pl exe=/usr/bin/perl subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null) Hash: awstats.pl,awstats_t,squid_log_t,file,getattr audit2allow #============= awstats_t ============== allow awstats_t squid_log_t:file getattr; audit2allow -R #============= awstats_t ============== allow awstats_t squid_log_t:file getattr;
I think we should add at least optional_policy(` squid_read_log(awstats_t) ')
I agree.
Fixed in selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.