Mod-security (mlogc) problem

Arthur Dent misc.lists at blueyonder.co.uk
Wed Apr 7 21:23:24 UTC 2010 

On Wed, 2010-04-07 at 23:01 +0200, Dominick Grift wrote:
> On Wed, Apr 07, 2010 at 09:51:24PM +0100, Arthur Dent wrote:
> > On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote:
> > > On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> > > > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > > > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > > > > Hello all,
> > > > > > 
> > > > > > 
> > > > Have I missed something or misunderstood something?
> > > 
> > > Yes it seems that the domain transition did not happen. are the modules installed:
> > > 
> > > semodule -l | grep myapache
> > > semodule -l | grep mlogc
> > 
> > # semodule -l | grep myapache
> > myapache	1.0.0
> > 
> > # semodule -l | grep mlogc
> > mlogc	1.0.0
> > 
> > 
> > > Is the context of mlogc executable file proper?
> > > 
> > > ls -alZ /usr/bin/mlogc
> > 
> > # ls -alZ /usr/bin/mlogc
> > -rwxr-xr-x. root root system_u:object_r:mlogc_exec_t:s0 /usr/bin/mlogc
> > 
> > > Something seems to have gone not as planned
> > 
> > Well all of that seems OK - I'm not sure why it's not working?
> > 
> > Thanks for your help so far though - it's much appreciated...
> 
> You could try to remove the optional_policy(` tag and its closing ') tag, that might expose any errors if you build without those.
> 
> can you paste you modules? so that i can review them?

# cat mlogc.te 
policy_module(mlogc, 1.0.0)

type mlogc_t;
type mlogc_exec_t;
application_domain(mlogc_t, mlogc_exec_t)

role system_r types mlogc_t;
permissive mlogc_t;

####################################################################

# cat mlogc.fc 
/usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t, s0)


####################################################################

# cat mlogc.if 
## <summary>The ModSecurity Log Collector</summary>

########################################
## <summary>
##      Execute MLOGC in the MLOGC domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`mlogc_domtrans',`
        gen_require(`
                type mlogc_t, mlogc_exec_t;
        ')

        corecmd_search_bin($1)
        domtrans_pattern($1, mlogc_exec_t, mlogc_t)
')

####################################################################

# cat myapche.te 
policy_module(myapache, 1.0.0)
optional_policy(`
        gen_require(`
                type httpd_t;
        ')

        mlogc_domtrans(httpd_t)
')

####################################################################


Is that right?

Thank again. I do appreciate your help.


Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100407/4b763f63/attachment.bin

More information about the selinux mailing list