Mod-security (mlogc) problem

Dominick Grift domg472 at gmail.com
Wed Apr 7 15:31:31 UTC 2010 

On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> Hello all,
> 
> I believe in a multi-layered approach towards security, so as well as
> SELinux I use Mod-Security to protect the web server on my F11 machine.
> 
> Recently I started using the ModSecurity Community Console to analyse
> the mod-security denials. This requires using the mlogc logging
> application that comes bundled with the mod_security-2.5.12-1.fc11.i586
> package.
> 
> Now every time a mod-security denial is triggered I get 3 SEL AVCs
> (currently in permissive mode while I sort this out). They say:
> 
> SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> If you want to change the file context of /var/run/pcscd.pid so that the
> httpd daemon can access it, you need to execute it using chcon -t
> httpd_sys_content_t '/var/run/pcscd.pid'.
> 
> A similar one for /var/run/pcsd.pub
> 
> and then one for:
> SELinux is preventing the mlogc from using potentially mislabeled files
> 636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t). 
> 
> (Actual AVCs below)
> 
> If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
> recommended by sealert I only get the one with the strange filename each
> time I get a mod-sec alert. However, now of course I get this:
> 
> SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
> (and another one for .pid)
> 
> So I need to put the file context back to what it was using
> restorecon....
> 
> Audit2allow suggests this:
> 
> require {
> 	type auth_cache_t;
> 	type httpd_t;
> 	type pcscd_var_run_t;
> 	class file { read write getattr open };
> }
> 
> #============= httpd_t ==============
> allow httpd_t auth_cache_t:file { read write };
> allow httpd_t pcscd_var_run_t:file { read getattr open };
> 
> What do you think is the best solution to this problem?

Does it work when you allow those access vectors? Eitherway i would set up
a domain transition from apache to a new clogd domain and allow this clogd domain the access it requires.
I prefer this over extending the httpd_t domain to allow this access.

> 
> Thanks in advance for any help or suggestions...
> 
> Mark
> 
> AVCs
> ====
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { read } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { open } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270480904.700:37928): arch=40000003 syscall=5 success=yes exit=10 a0=d348ea a1=0 a2=1b6 a3=d348e8 items=0 ppid=9643 pid=9674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270488357.977:38184): avc: denied { getattr } for pid=10531 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270488357.977:38184): arch=40000003 syscall=195 success=yes exit=0 a0=d345ab a1=b64279ac a2=d1eff4 a3=3 items=0 ppid=9643 pid=10531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270488685.640:38200): avc: denied { read write } for pid=10661 comm="mlogc" name=636F6F6C6B6579706B313173452D47617465203020302D30 dev=sda5 ino=372384 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270488685.640:38200): arch=40000003 syscall=5 success=yes exit=12 a0=b5830dc0 a1=20002 a2=180 a3=b5830da8 items=0 ppid=10644 pid=10661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 



> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100407/3305e94a/attachment.bin

More information about the selinux mailing list