awstats munged httpd rights in SElinux, how to fix?

Thu Jul 31 03:35:06 UTC 2008

On Wednesday 30 July 2008, Tim wrote:
>On Wed, 2008-07-30 at 18:12 -0400, Gene Heskett wrote:
>> Wanting to see who might have visited my simple web page, I installed
>> awstats from the fedora repo today.
>>
>> The awstats selinux helper seems to be an empty file, yumex win't dl it or
>> install it even when checked.
>>
>> >From the yumex screen:
>>
>> 7:59:02 : Package Queue:
>> 17:59:02 :  Packages to install
>> 17:59:02 :  ---> awstats-selinux-6.7-1.fc8.noarch
>> 17:59:02 : Preparing for install/remove/update
>> 17:59:02 : --> Preparing for install
>> 17:59:02 : Package awstats-selinux is obsoleted by awstats, trying to
>> install awstats-6.8-1.fc8.noarch instead
>> 17:59:02 : Package awstats-6.8-1.fc8.noarch already installed and latest
>> version
>> 17:59:06 : Error in Dependency Resolution
>> 17:59:06 : Success - empty transaction
>>
>> which is self-explanatory.
>>
>> But on attempting to look at my page at localhost, I get connection
>> refused.
>>
>> So I as root, do:service httpd restart
>> Stopping httpd:                                            [FAILED]
>> Starting httpd: (13)Permission denied: httpd: could not open error log
>> file /etc/httpd/logs/error_log.
>> Unable to open logs
>>                                                            [FAILED]
>
>Sounds more like Apache problems, not AWStats, this is Apache failing to
>start.  AWStats just reads the logs, *separately*.  As a regular cron
>job, as I recall.  Though it can be fired up on demand.
>
Actually, its something in the new 2.6.27-rc1 kernel that is stopping it.
I just rebooted to 2.6.26 final, and its happy as a clam.  The 2.6.27-rc1 
kernel has some newer options targeted at net security that I haven't quite 
grokked yet.

Back to awstats, where does this output show up?  As a web page on localhost, 
or something it takes mrtg to look at?

Also, what user does the cron entry belong to?

>NB:  /etc/httpd/logs/ is a symlink to /var/log/httpd

That I had figured out.
>
>> And an selinux denial that says I can fix it with this:
>> #> setsebool -P httpd_unified=1
>>
>> But I've now executed that line several times without success.
>>
>> I've also gone through the httpd stuff and made much of it 0644 and owned
>> by apache:apache.
>
>Why and what?  Configuration and log files should be owned by root,
>files to be served out of the website should be owned by the author.
>
I'll switch them back then.

>Are you still using your computer as root, and messing up file and
>directory ownerships as you go along?

Here and there.  If fedora would give me what I want to do, I'd use it as is, 
but it doesn't.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
  May I ask a question?