diff --git a/awstats.README.SELinux b/awstats.README.SELinux new file mode 100644 index 0000000..2d29be3 --- /dev/null +++ b/awstats.README.SELinux @@ -0,0 +1,35 @@ +========================== +SELinux support in AWStats +========================== + + +What is the problem ? +--------------------- + +AWStats is a CGI script, and needs to be labelled correctly to be called +from Apache. +The files in ``/usr/share/awstats/wwwroot/cgi-bin`` need to have the +``httpd_sys_script_exec_t`` type, and the databases files in +``/var/lib/awstats`` need to have the ``httpd_sys_script_rw_t`` type. + + +How do we solve it ? +-------------------- + +You can change the type with the ``chcon`` command:: + + chcon -R -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin + chcon -R -t httpd_sys_script_rw_t /var/lib/awstats + +But these modifications will be lost if the system is relabeled (you can +request a relabel with the system-config-security tool). + +To make these changes permanent, this package sets the contexts by running +the following commands:: + + semanage fcontext -a -t httpd_sys_script_exec_t \ + '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' + semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?' + + +Please send your bug reports (if any ;) ) to https://bugzilla.redhat.com diff --git a/awstats.spec b/awstats.spec index 1b82561..9b21b99 100644 --- a/awstats.spec +++ b/awstats.spec @@ -7,13 +7,13 @@ Group: Applications/Internet URL: http://awstats.sourceforge.net Source0: http://dl.sf.net/awstats/awstats-6.5.tar.gz #Source0: http://awstats.sourceforge.net/files/awstats-6.5.tar.gz +Source1: awstats.README.SELinux BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: httpd Requires: perl -Requires(post): perl -Requires(postun): /sbin/service -Requires(pre): policycoreutils +Requires(post): perl, policycoreutils +Requires(postun): /sbin/service, policycoreutils %description Advanced Web Statistics is a powerful and featureful tool that generates @@ -31,18 +31,19 @@ The program also supports virtual servers, plugins and a lot of features. With the default configuration, the statistics are available: http://localhost/awstats/awstats.pl + %prep %setup -q - # Fix style sheets. perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/* - # Fix some bad file permissions here for convenience. chmod -x tools/httpd_conf find tools/xslt -type f | xargs chmod -x - # Remove \r in conf file (file written on MS Windows) perl -pi -e 's/\r//g' tools/httpd_conf +# SELinux README +cp -a %{SOURCE1} README.SELinux + %install rm -rf $RPM_BUILD_ROOT @@ -80,7 +81,7 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}/wwwroot/cgi-bin/awstats.model.conf ### Commit permanent changes to default configuration install -p -m 644 wwwroot/cgi-bin/awstats.model.conf \ $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf -%{__perl} -pi -e ' +perl -pi -e ' s|^LogFile=.*$|LogFile="%{_localstatedir}/log/httpd/access_log"|; s|^DirData=.*$|DirData="%{_localstatedir}/lib/awstats"|; s|^DirCgi=.*$|DirCgi="/awstats"|; @@ -91,16 +92,17 @@ install -p -m 644 wwwroot/cgi-bin/awstats.model.conf \ s|^SaveDatabaseFilesWithPermissionsForEveryone=.*$|SaveDatabaseFilesWithPermissionsForEveryone=0|; s|^SkipHosts=.*$|SkipHosts="127.0.0.1"|; s|^Expires=.*$|Expires=3600|; - ' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf + ' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.model.conf install -p -m 644 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.{model,localhost.localdomain}.conf # Fix scripts -%{__perl} -pi -e 's|/usr/local/awstats|%{_datadir}/awstats|g' \ +perl -pi -e 's|/usr/local/awstats|%{_datadir}/awstats|g' \ $RPM_BUILD_ROOT%{_datadir}/%{name}/tools/{*.pl,httpd_conf} # Apache configuration install -p -m 644 tools/httpd_conf $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf -%{__perl} -pi -e 's|/usr/local|%{_datadir}|g' $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf +perl -pi -e 's|/usr/local|%{_datadir}|g;s|Allow from all|Allow from 127.0.0.1|g' \ + $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/conf.d/%{name}.conf echo "# Additional Perl modules SetEnv PERL5LIB %{_datadir}/awstats/lib:%{_datadir}/awstats/plugins @@ -114,13 +116,6 @@ install -m 0755 awstats.cron $RPM_BUILD_ROOT%{_sysconfdir}/cron.hourly/%{name} rm -rf $RPM_BUILD_ROOT -%pre -# Set SELinux types -semanage fcontext -a -t httpd_sys_script_exec_t \ - '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || : -semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?' 2>/dev/null || : - - %post if [ $1 -eq 1 ]; then if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then @@ -130,18 +125,28 @@ if [ $1 -eq 1 ]; then ' > %{_sysconfdir}/%{name}/%{name}.`hostname`.conf || : fi fi +### SELinux support ### +# Set SELinux file_context +semanage fcontext -a -t httpd_sys_script_exec_t \ + '%{_datadir}/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || : +semanage fcontext -a -t httpd_sys_script_rw_t '%{_localstatedir}/lib/awstats(/.*)?' 2>/dev/null || : +# Actually change the context +chcon -R -t httpd_sys_script_exec_t %{_datadir}/awstats/wwwroot/cgi-bin +chcon -R -t httpd_sys_script_rw_t %{_localstatedir}/lib/awstats %postun if [ $1 -ne 0 ]; then /sbin/service httpd condrestart >/dev/null 2>&1 fi +# SELinux support if [ $1 -eq 0 ]; then semanage fcontext -d -t httpd_sys_script_exec_t \ '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || : fi + %files %defattr(-,root,root,755) # Apache configuration file @@ -155,7 +160,7 @@ fi %{_datadir}/%{name}/wwwroot/cgi-bin # Different defattr to fix lots of files which should not be +x. %defattr(644,root,root,755) -%doc README.TXT docs/* +%doc README.TXT docs/* README.SELinux %{_datadir}/%{name}/lang %{_datadir}/%{name}/lib %{_datadir}/%{name}/plugins @@ -164,9 +169,12 @@ fi %{_datadir}/%{name}/wwwroot/icon %{_datadir}/%{name}/wwwroot/js + + %changelog * Sun Apr 09 2006 Aurelien Bompard 6.5-3 - SELinux support: use semanage to label the cgi and the database files +- Only allow access from localhost by default (this app has a security history) * Thu Feb 23 2006 Aurelien Bompard 6.5-2 - rebuild for FC5