I have 2 problems, any help would be appreciated.
The webalizer crons don't work, the error message being :

Nov 12 08:59:51 myusername setroubleshoot: SELinux is preventing /usr/bin/webalizer (webalizer_t) "search" to webalizer (bin_t). For complete SELinux messages. run sealert -l .......

The other problem is that I cannot access my /stats directory ... when trying from a browser, even if I use the username/password of the owner of the domain, I get a 401 Authorization Required. I tried changing that user's password, and the encrypted password in .stats-htpasswd changed, but still can't login.

Any ideas ?

Post edited by: krime777, at: 2007/11/12 05:24

Sorry to resurrect an aging thread, but I wondered if anyone has yet ironed out the SELinux issues with Webalizer yet? I'm seeing a similar SELinux alert on my CentOS 5 server, viz:

Code:

SELinux is preventing webalizer (webalizer_t) "search" to ./virtual-server (bin_t). ...

I am struggling to wrap my head around the issues raised by SELinux. Can anyone offer any advice? I have scoured the internet but not even the NSA's SELinux site has an answer. I suspect if I actually understood SELinux I'd be halfway to solving the problem, but as it is...

Incidentally, I suspect that this may be a problem that other newbies are experiencing ("Why aren't my stats working?!") but they haven't viewed the log files and identified the cause.

Some feedback: I only discovered VirtualMin in the last few days but have been delighted with it. I run a modest web development/media server at home and VirtualMin has done wonders to reduce all the tedious config file editing I used to do. Good job, and perfect for my needs! Thanks guys.

Well, first off, there is the option to disable SELinux. It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.

So just as an option, if you wanted to disable it, or even just put it in permissive mode (which generates the errors without actually preventing things from working), you can set that here:

/etc/selinux/config

Of course, there's clear security advantages to running SELinux. So how do you keep using SELinux and get Webalizer to work?

Well, there should be actual error messages in /var/log messages, along the lines of this:

avc: denied { search } for comm="webalizer" dev=dm-0 egid=0 euid=0 exe="/usr/bin/webalizer" exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name="virtual- server" pid=3709 scontext=root:system_r:webalizer_t ...

It's possible to convert all the messages like that into allow rules that would get Webalizer up and running. You can do that manually once you have a grasp on what the above means, or until then there's a tool called audit2allow which can do that for you.

Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

I hope that helps!
-Eric

Well, first off, there is the option to disable SELinux.
Yeah - I put it into permissive mode yesterday just until I get this sorted. Not entirely satisfactory though - amongst other reasons, I'm providing a bit of shared hosting on this box.

It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.
Agreed. When I first encountered SE a few years ago I just gave up! :D

Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
Awesome; thanks for the pointer!

Follow-up:

Brilliant; I followed those instructions and it did the trick. Wonder if this is worth adding to the FAQ? Whilst I know it's not specifically a Virtualmin issue, it definitely appears to arise as a direct result of using Virtualmin + Webalizer on SELinux systems.

I'm delighted to be able to put SELinux back into "Enforcing" mode, so thanks again for your help Eric.

Great, I'm glad that worked!

What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create "allow" rules, or did you have anything else in mind too?
-Eric

There is a pretty good discussion of SELinux in Fedora over at lwn.net; see: http://lwn.net/Articles/288507/

There is a pretty good discussion of SELinux in Fedora over at lwn.net; see: http://lwn.net/Articles/288507/

andreychek wrote:
What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create "allow" rules, or did you have anything else in mind too?What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create "allow" rules, or did you have anything else in mind too?
From a practical point of view, it would be useful to have something that would turn up on search engines! Yes, a mention of that link would be handy, although I'm lairy of relying on external links which may die or go out of date.

How about, off the top of my head:

FAQ: Webalizer is not indexing sites. The system log shows an entry like 'SELinux is preventing /usr/bin/webalizer (webalizer_t) "search" to ./virtual-server (bin_t). For complete SELinux messages. run sealert -l [xxxxxxxxxxxxxxxxxxxx]'

Answer: Webalizer is attempting to collect statistics from your virtual sites, but SELinux is preventing this access. If you run "sealert -l [xxxxxxxxxxxxxxxxxxxx]" you will see a detailed (but not necessarily intelligible!) explanation along the following lines:

Summary:

SELinux is preventing webalizer (webalizer_t) "search" to ./virtual-server
(bin_t).

Detailed Description:

SELinux denied access requested by webalizer. It is not expected that this access is required by webalizer and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./virtual-server,

restorecon -v './virtual-server'

If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Additional Information:

Source Context root:system_r:webalizer_t:SystemLow-SystemHigh
Target Context root:object_r:bin_t
Target Objects ./virtual-server [ dir ]
Source webalizer
Source Path /usr/bin/webalizer
Port <Unknown>
Host yourhost.local
Source RPM Packages webalizer-2.01_10-30.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name yourhost.local
Platform Linux yourhost.local 2.6.18-92.1.6.el5.centos.plus
#1 SMP Thu Jun 26 12:25:59 EDT 2008 i686 i686
Alert Count 3683
First Seen Thu Jul 3 11:38:06 2008
Last Seen Thu Jul 10 09:03:04 2008
Local ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Line Numbers

Raw Audit Messages

host=yourhost.local type=AVC msg=audit(1215676984.437:16247): avc: denied { search } for pid=9297 comm="webalizer" name="virtual-server" dev=hda1 ino=1244742 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=root:object_r:bin_t:s0 tclass=dir

host=yourhost.local type=SYSCALL msg=audit(1215676984.437:16247): arch=40000003 syscall=195 success=no exit=-2 a0=805f74a a1=bfbd7ea0 a2=d40ff4 a3=3 items=0 ppid=9260 pid=9297 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2580 comm="webalizer" exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)

At the link referred to in this message (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) instructions are provided for creating a local policy allowing this particular action. Consider this a workaround until your Linux vendor/the webalizer team have produced an official policy module for SELinux/Virtualmin/Webalizer.

Alternatively you can disable SELinux or run it in permissive mode. This would of course have security implications.

midol wrote:
There is a pretty good discussion of SELinux in Fedora over at lwn.net; see: http://lwn.net/Articles/288507/

Alas:
The article you have tried to view (LWN.net Weekly Edition for July 10, 2008) is currently available to LWN subscribers only. Reader subscriptions are a necessary way to fund the continued existence of LWN and the quality of its content.