17 posts / 0 new
Last post
#1 Tue, 03/04/2008 - 12:06
krime777

Webalizer

The status of your system is being checked to ensure that all enabled features are available, that the mail server is properly configured, and that quotas are active ..

  Mail server Sendmail is installed and configured.

  Apache is installed.

  Webalizer does not appear to be installed on your system, or has not yet been set up properly in Webmin's Webalizer Logfile Analysis module. If your system does not use Webalizer, it should be disabled in Virtualmin's module configuration page.

.. your system is not ready for use by Virtualmin.

Using GPL version, running CentOS5. I have tried disabling it but it doesn't change and just stays active.

Tue, 03/04/2008 - 12:29
Joe
Joe's picture

You didn't mention if you installed via our install.sh script or not, which leaves a lot of questions in the air.

But, short answer: Install Webalizer ( yum install webalizer ), or disable it in the Module Configuration. (Pretty much exactly what the error says, but I don't know how else to put it--that's just what you need to do to make Virtualmin happy.)

--

Check out the forum guidelines!

Tue, 03/04/2008 - 12:31 (Reply to #2)
iLime

I used install.sh. I already installed it manually, made no change. Disabled it then I get a mysql not setup error, when I click the link it gives mysql is fine.

Wed, 07/09/2008 - 03:34
robpomeroy

Sorry to resurrect an aging thread, but I wondered if anyone has yet ironed out the SELinux issues with Webalizer yet? I'm seeing a similar SELinux alert on my CentOS 5 server, viz:

[code:1]SELinux is preventing webalizer (webalizer_t) "search" to ./virtual-server (bin_t). ... [/code:1]
I am struggling to wrap my head around the issues raised by SELinux. Can anyone offer any advice? I have scoured the internet but not even the NSA's SELinux site has an answer. I suspect if I actually understood SELinux I'd be halfway to solving the problem, but as it is...

Incidentally, I suspect that this may be a problem that other newbies are experiencing ("Why aren't my stats working?!") but they haven't viewed the log files and identified the cause.

Some feedback: I only discovered VirtualMin in the last few days but have been delighted with it. I run a modest web development/media server at home and VirtualMin has done wonders to reduce all the tedious config file editing I used to do. Good job, and perfect for my needs! Thanks guys.

Sun, 06/07/2009 - 07:26 (Reply to #4)
andreychek

Well, first off, there is the option to disable SELinux. It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.

So just as an option, if you wanted to disable it, or even just put it in permissive mode (which generates the errors without actually preventing things from working), you can set that here:

/etc/selinux/config

Of course, there's clear security advantages to running SELinux. So how do you keep using SELinux and get Webalizer to work?

Well, there should be actual error messages in /var/log messages, along the lines of this:

avc: denied { search } for comm="webalizer" dev=dm-0 egid=0 euid=0 exe="/usr/bin/webalizer" exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name="virtual- server" pid=3709 scontext=root:system_r:webalizer_t ...

It's possible to convert all the messages like that into allow rules that would get Webalizer up and running. You can do that manually once you have a grasp on what the above means, or until then there's a tool called audit2allow which can do that for you.

Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

I hope that helps!
-Eric

Sun, 06/07/2009 - 07:26 (Reply to #5)
andreychek

Well, first off, there is the option to disable SELinux. It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.

So just as an option, if you wanted to disable it, or even just put it in permissive mode (which generates the errors without actually preventing things from working), you can set that here:

/etc/selinux/config

Of course, there's clear security advantages to running SELinux. So how do you keep using SELinux and get Webalizer to work?

Well, there should be actual error messages in /var/log messages, along the lines of this:

avc: denied { search } for comm="webalizer" dev=dm-0 egid=0 euid=0 exe="/usr/bin/webalizer" exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name="virtual- server" pid=3709 scontext=root:system_r:webalizer_t ...

It's possible to convert all the messages like that into allow rules that would get Webalizer up and running. You can do that manually once you have a grasp on what the above means, or until then there's a tool called audit2allow which can do that for you.

Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

I hope that helps!
-Eric

Sun, 06/07/2009 - 07:26 (Reply to #6)
andreychek

Well, first off, there is the option to disable SELinux. It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.

So just as an option, if you wanted to disable it, or even just put it in permissive mode (which generates the errors without actually preventing things from working), you can set that here:

/etc/selinux/config

Of course, there's clear security advantages to running SELinux. So how do you keep using SELinux and get Webalizer to work?

Well, there should be actual error messages in /var/log messages, along the lines of this:

avc: denied { search } for comm="webalizer" dev=dm-0 egid=0 euid=0 exe="/usr/bin/webalizer" exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name="virtual- server" pid=3709 scontext=root:system_r:webalizer_t ...

It's possible to convert all the messages like that into allow rules that would get Webalizer up and running. You can do that manually once you have a grasp on what the above means, or until then there's a tool called audit2allow which can do that for you.

Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

I hope that helps!
-Eric

Sun, 06/07/2009 - 07:26 (Reply to #7)
andreychek

Well, first off, there is the option to disable SELinux. It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.

So just as an option, if you wanted to disable it, or even just put it in permissive mode (which generates the errors without actually preventing things from working), you can set that here:

/etc/selinux/config

Of course, there's clear security advantages to running SELinux. So how do you keep using SELinux and get Webalizer to work?

Well, there should be actual error messages in /var/log messages, along the lines of this:

avc: denied { search } for comm="webalizer" dev=dm-0 egid=0 euid=0 exe="/usr/bin/webalizer" exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name="virtual- server" pid=3709 scontext=root:system_r:webalizer_t ...

It's possible to convert all the messages like that into allow rules that would get Webalizer up and running. You can do that manually once you have a grasp on what the above means, or until then there's a tool called audit2allow which can do that for you.

Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

I hope that helps!
-Eric

Sun, 06/07/2009 - 07:26 (Reply to #8)
andreychek

Well, first off, there is the option to disable SELinux. It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.

So just as an option, if you wanted to disable it, or even just put it in permissive mode (which generates the errors without actually preventing things from working), you can set that here:

/etc/selinux/config

Of course, there's clear security advantages to running SELinux. So how do you keep using SELinux and get Webalizer to work?

Well, there should be actual error messages in /var/log messages, along the lines of this:

avc: denied { search } for comm="webalizer" dev=dm-0 egid=0 euid=0 exe="/usr/bin/webalizer" exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name="virtual- server" pid=3709 scontext=root:system_r:webalizer_t ...

It's possible to convert all the messages like that into allow rules that would get Webalizer up and running. You can do that manually once you have a grasp on what the above means, or until then there's a tool called audit2allow which can do that for you.

Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

I hope that helps!
-Eric

Wed, 07/09/2008 - 22:30
robpomeroy

<div class='quote'>Well, first off, there is the option to disable SELinux.</div>
Yeah - I put it into permissive mode yesterday just until I get this sorted. Not entirely satisfactory though - amongst other reasons, I'm providing a bit of shared hosting on this box.

<div class='quote'>It provides an awesome level of security, but it can be a bit inflexible and add to the amount of time you spend getting things working.</div>
Agreed. When I first encountered SE a few years ago I just gave up! :D

<div class='quote'>Some details on how to generate allow rules are here:

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385</div>
Awesome; thanks for the pointer!

Wed, 07/09/2008 - 23:58 (Reply to #10)
robpomeroy

Follow-up:

Brilliant; I followed those instructions and it did the trick. Wonder if this is worth adding to the FAQ? Whilst I know it's not specifically a Virtualmin issue, it definitely appears to arise as a direct result of using Virtualmin + Webalizer on SELinux systems.

I'm delighted to be able to put SELinux back into &quot;Enforcing&quot; mode, so thanks again for your help Eric.

Thu, 07/10/2008 - 09:03 (Reply to #11)
andreychek

Great, I'm glad that worked!

What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create &quot;allow&quot; rules, or did you have anything else in mind too?
-Eric

Thu, 07/10/2008 - 19:55 (Reply to #12)
midol

There is a pretty good discussion of SELinux in Fedora over at lwn.net; see: http://lwn.net/Articles/288507/

Sun, 06/07/2009 - 07:26
robpomeroy

<b>andreychek wrote:</b>
<div class='quote'>What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create &quot;allow&quot; rules, or did you have anything else in mind too?What do you think would be valuable to have in a FAQ/documentation page regarding SELinux? Largely the link that describes how to create &quot;allow&quot; rules, or did you have anything else in mind too?</div>
From a practical point of view, it would be useful to have something that would turn up on search engines! Yes, a mention of that link would be handy, although I'm lairy of relying on external links which may die or go out of date.

How about, off the top of my head:

FAQ: Webalizer is not indexing sites. The system log shows an entry like 'SELinux is preventing /usr/bin/webalizer (webalizer_t) &quot;search&quot; to ./virtual-server (bin_t). For complete SELinux messages. run sealert -l [xxxxxxxxxxxxxxxxxxxx]'

Answer: Webalizer is attempting to collect statistics from your virtual sites, but SELinux is preventing this access. If you run &quot;sealert -l [xxxxxxxxxxxxxxxxxxxx]&quot; you will see a detailed (but not necessarily intelligible!) explanation along the following lines:

<div class='quote'>Summary:

SELinux is preventing webalizer (webalizer_t) &quot;search&quot; to ./virtual-server
(bin_t).

Detailed Description:

SELinux denied access requested by webalizer. It is not expected that this access is required by webalizer and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./virtual-server,

restorecon -v './virtual-server'

If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Additional Information:

Source Context root:system_r:webalizer_t:SystemLow-SystemHigh
Target Context root:object_r:bin_t
Target Objects ./virtual-server [ dir ]
Source webalizer
Source Path /usr/bin/webalizer
Port &lt;Unknown&gt;
Host yourhost.local
Source RPM Packages webalizer-2.01_10-30.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall_file
Host Name yourhost.local
Platform Linux yourhost.local 2.6.18-92.1.6.el5.centos.plus
#1 SMP Thu Jun 26 12:25:59 EDT 2008 i686 i686
Alert Count 3683
First Seen Thu Jul 3 11:38:06 2008
Last Seen Thu Jul 10 09:03:04 2008
Local ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Line Numbers

Raw Audit Messages

host=yourhost.local type=AVC msg=audit(1215676984.437:16247): avc: denied { search } for pid=9297 comm=&quot;webalizer&quot; name=&quot;virtual-server&quot; dev=hda1 ino=1244742 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=root:object_r:bin_t:s0 tclass=dir

host=yourhost.local type=SYSCALL msg=audit(1215676984.437:16247): arch=40000003 syscall=195 success=no exit=-2 a0=805f74a a1=bfbd7ea0 a2=d40ff4 a3=3 items=0 ppid=9260 pid=9297 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2580 comm=&quot;webalizer&quot; exe=&quot;/usr/bin/webalizer&quot; subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)</div>

At the link referred to in this message (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) instructions are provided for creating a local policy allowing this particular action. Consider this a workaround until your Linux vendor/the webalizer team have produced an official policy module for SELinux/Virtualmin/Webalizer.

Alternatively you can disable SELinux or run it in permissive mode. This would of course have security implications.

Fri, 07/11/2008 - 00:34
robpomeroy

<b>midol wrote:</b>
<div class='quote'>There is a pretty good discussion of SELinux in Fedora over at lwn.net; see: http://lwn.net/Articles/288507/</div>

Alas:
<div class='quote'>The article you have tried to view (LWN.net Weekly Edition for July 10, 2008) is currently available to LWN subscribers only. Reader subscriptions are a necessary way to fund the continued existence of LWN and the quality of its content.</div>

Mon, 07/14/2008 - 15:03 (Reply to #15)
sgrayban

I disable selinux on all servers I control -- it's useless and a pain to constantly work with.

There is no other distro that enables this by default other then centos/rhel/fedora and thank god for that too.

Mon, 07/14/2008 - 15:18
ronald
ronald's picture

0o when i installed centos 5.1 it gave me 3 options after the initial reboot:
1: enable
2: permissive
3: disable

Topic locked