andreychek wrote:
What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create "allow" rules, or did you have anything else in mind too?What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create "allow" rules, or did you have anything else in mind too?
From a practical point of view, it would be useful to have something that would turn up on search engines! Yes, a mention of that link would be handy, although I'm lairy of relying on external links which may die or go out of date.
How about, off the top of my head:
FAQ: Webalizer is not indexing sites. The system log shows an entry like ‘SELinux is preventing /usr/bin/webalizer (webalizer_t) “search” to ./virtual-server (bin_t). For complete SELinux messages. run sealert -l [xxxxxxxxxxxxxxxxxxxx]’
Answer: Webalizer is attempting to collect statistics from your virtual sites, but SELinux is preventing this access. If you run "sealert -l [xxxxxxxxxxxxxxxxxxxx]" you will see a detailed (but not necessarily intelligible!) explanation along the following lines:
Summary:
SELinux is preventing webalizer (webalizer_t) "search" to ./virtual-server
(bin_t).
Detailed Description:
SELinux denied access requested by webalizer. It is not expected that this access is required by webalizer and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./virtual-server,
restorecon -v ‘./virtual-server’
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:webalizer_t:SystemLow-SystemHigh
Target Context root:object_r:bin_t
Target Objects ./virtual-server [ dir ]
Source webalizer
Source Path /usr/bin/webalizer
Port <Unknown>
Host yourhost.local
Source RPM Packages webalizer-2.01_10-30.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name yourhost.local
Platform Linux yourhost.local 2.6.18-92.1.6.el5.centos.plus
#1 SMP Thu Jun 26 12:25:59 EDT 2008 i686 i686
Alert Count 3683
First Seen Thu Jul 3 11:38:06 2008
Last Seen Thu Jul 10 09:03:04 2008
Local ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Line Numbers
Raw Audit Messages
host=yourhost.local type=AVC msg=audit(1215676984.437:16247): avc: denied { search } for pid=9297 comm="webalizer" name="virtual-server" dev=hda1 ino=1244742 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=root:object_r:bin_t:s0 tclass=dir
host=yourhost.local type=SYSCALL msg=audit(1215676984.437:16247): arch=40000003 syscall=195 success=no exit=-2 a0=805f74a a1=bfbd7ea0 a2=d40ff4 a3=3 items=0 ppid=9260 pid=9297 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2580 comm="webalizer" exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
At the link referred to in this message (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) instructions are provided for creating a local policy allowing this particular action. Consider this a workaround until your Linux vendor/the webalizer team have produced an official policy module for SELinux/Virtualmin/Webalizer.
Alternatively you can disable SELinux or run it in permissive mode. This would of course have security implications.