Steven Stromer filter at
Wed Sep 28 20:30:18 UTC 2005

Dear Mickey,

I noticed your post right before going to lunch. I was planning on 
responding when I got back, but you beat me to the punch! Thanks for 
your response. I believe that you are 90% of the way to your destination...

> # ls -Z /usr/share/awstats/wwwroot/cgi-bin/
> -rwxr-xr-x  root     root     system_u:object_r:usr_t
> -rwxr-xr-x  root     root     system_u:object_r:usr_t
> Changing the type gets the script running:
> # chcon -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin/*
> # ls -Z /usr/share/awstats/wwwroot/cgi-bin/
> -rwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_exec_t
> -rwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_exec_t

This is correct, so far.

> However, the script reports an error.
> Error: AWStats database directory defined in config file by 'DirData'
> parameter (/var/lib/awstats) does not exist or is not writable.
> # ls -Z /var/lib
> ...
> drwxr-xr-x  root     root     system_u:object_r:var_lib_t      awstats
> ...
> Changing the type allows the script to run:
> # chcon -t httpd_sys_script_rw_t /var/lib/awstats
> # ls -Z /var/lib
> ...
> drwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_rw_t
> awstats
> ...

You have changed the policy on the /var/lib/awstats folder, but not on 
its contents, as you successfully did on the files in the cgi-bin, 
above. In the case of the cgi-bin, it seems you achieved this with a 
wildcard (*). Just chcon the contents (the actual AWStats databases) in 
/var/lib/awstats, and you'll be good to go. You can do this one file at 
a time, or by using a wildcard (*) as you did above, or, best of all, 
recursively through the directory for all time, with:

chcon -R -h -t httpd_sys_script_ra_t /var/lib/awstats

This will make the existing contents of the directory, and any new 
databases added to the directory in the future (db's for new virtual 
hosts, for instance) properly permissioned, so long as future files 
added to the directory are created properly.

(You might note that I recommended chcon'ing your awstats database 
folder _ra_t, and not _rw_t, as you had done originally. This just 
removes the right of to ever erase one of the databases.)

This should get your web reporting working. However, it does not resolve 
the final issue, which I am still working out. There exists an option in 
the web reporting pages called 'Update Now'. It allows you to update 
reports from the web server's logs without performing the log parsing 
from the command line. You must change the directive 
'AllowToUpdateStatsFromBrowser' from 0 to 1 in your awstats .conf file 
to activate this practical feature. However, I have found that the 
web-based update process needs access to the system's httpd access_log 
file (usually in /var/log/httpd). I have changed permissions on this 
file to httpd_sys_script_ra_t, but it was not sufficient to make the 
update feature work. Hopefully, someone will be able to help here. I'll 
post if I get the answer.

Finally, I noticed that the changes to policy would not take until I 
closed the browser window in which I was trying to access AWStats, and 
reloaded it in a new window.

Hope this helps,

Steven Stromer

More information about the fedora-selinux-list mailing list