Mod-security (mlogc) problem

Arthur Dent misc.lists at blueyonder.co.uk
Wed Apr 7 14:23:55 UTC 2010 

Hello all,

I believe in a multi-layered approach towards security, so as well as
SELinux I use Mod-Security to protect the web server on my F11 machine.

Recently I started using the ModSecurity Community Console to analyse
the mod-security denials. This requires using the mlogc logging
application that comes bundled with the mod_security-2.5.12-1.fc11.i586
package.

Now every time a mod-security denial is triggered I get 3 SEL AVCs
(currently in permissive mode while I sort this out). They say:

SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
If you want to change the file context of /var/run/pcscd.pid so that the
httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t '/var/run/pcscd.pid'.

A similar one for /var/run/pcsd.pub

and then one for:
SELinux is preventing the mlogc from using potentially mislabeled files
636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t). 

(Actual AVCs below)

If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
recommended by sealert I only get the one with the strange filename each
time I get a mod-sec alert. However, now of course I get this:

SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
(and another one for .pid)

So I need to put the file context back to what it was using
restorecon....

Audit2allow suggests this:

require {
	type auth_cache_t;
	type httpd_t;
	type pcscd_var_run_t;
	class file { read write getattr open };
}

#============= httpd_t ==============
allow httpd_t auth_cache_t:file { read write };
allow httpd_t pcscd_var_run_t:file { read getattr open };

What do you think is the best solution to this problem?

Thanks in advance for any help or suggestions...

Mark

AVCs
====

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { read } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { open } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
node=troodos.org.uk type=SYSCALL msg=audit(1270480904.700:37928): arch=40000003 syscall=5 success=yes exit=10 a0=d348ea a1=0 a2=1b6 a3=d348e8 items=0 ppid=9643 pid=9674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270488357.977:38184): avc: denied { getattr } for pid=10531 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
node=troodos.org.uk type=SYSCALL msg=audit(1270488357.977:38184): arch=40000003 syscall=195 success=yes exit=0 a0=d345ab a1=b64279ac a2=d1eff4 a3=3 items=0 ppid=9643 pid=10531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270488685.640:38200): avc: denied { read write } for pid=10661 comm="mlogc" name=636F6F6C6B6579706B313173452D47617465203020302D30 dev=sda5 ino=372384 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=file 
node=troodos.org.uk type=SYSCALL msg=audit(1270488685.640:38200): arch=40000003 syscall=5 success=yes exit=12 a0=b5830dc0 a1=20002 a2=180 a3=b5830da8 items=0 ppid=10644 pid=10661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100407/8fac786d/attachment.bin

More information about the selinux mailing list