Mod-security (mlogc) problem
Arthur Dent
misc.lists at blueyonder.co.uk
Thu Apr 8 14:50:17 UTC 2010
On Thu, 2010-04-08 at 16:09 +0200, Dominick Grift wrote:
> > Done all that...
>
> I hope you noticed the typo i made here:
>
> was:
> logging_log_file(mlogc_var_log_t;
>
> should be:
> logging_log_file(mlogc_var_log_t)
Yes, I caught that one. By the way, is a semicolon required after every
line?
>
> >
> > > > I think most of that is self-explanatory. Note especially the ConsoleURI
> > > > "https://127.0.0.1:8888/rpc/auditLogReceiver" directive. This punts the
> > > > alerts into the Console which listens on port 8888, and this is the
> > > > answer to one of your later questions.
> > >
> > > I think we should also confine this "server". Which package includes this? what is the name/location of the executable file for this service?
> >
> > OK - It's called modsecurity-console and it's located in /usr/local/bin
> > - but it's actually linked to /opt
>
> What runs it? You the user or is it an init daemon.
Yes, at the moment I start it manually or with a cron job
(@reboot /usr/local/bin/modsecurity-console start) although i was
planning to make an init.d script for it given time..
>
> Since it is using odd paths i asume there is no redhat rpm?
No, This is an RPM, but from Breach Security - the authors. I also
installed it from source previously.
> >
> > # ll /usr/local/bin/modsecurity-console
> > lrwxrwxrwx. 1 root root 44 2010-04-04 11:23 /usr/local/bin/modsecurity-console -> /opt/modsecurity-console/modsecurity-console
> >
> > > >
> > > > Note however that I am also experimenting with another Console app (also
> > > > Java based, which does exactly the same thing in the same way) but in
> > > > this case listens on port 8443.
> > > >
> > > > >
> > > > > I am think about creating a file type transition from the generic log files type or httpd log files type to a mlogc log files type to be created by us.
> > > > > This will benefit security as:
> > > > >
> > > > > 1. Hopefully mlogc_t will no longer need to manage files with type httpd_log_t.
> > > > > 2. httpd_t (mod_security) will no longer need to create directories wuth type httpd_log_t and will no longer need to write to files with type httpd_log_t.
> > > > >
> > > > > We must try to find the best solution to the above securities issue so again: two questions:
> > > > >
> > > > > 1. does mod_security (mayve its configuration file) allow us to specify a location to store mod_security log files?
> > > > > 2. if the answer to 1. is no, then can you tell me which directories in /var/log/httpd are used (owned) by mod_security for logging?
> > > >
> > > > The answer to 1 is yes as you can see above.
> > > > >
> > > > > > Raw Audit Messages :
> > > > > >
> > > > > > node=troodos.org.uk type=AVC msg=audit(1270679720.128:45085): avc: denied { name_connect } for pid=1869 comm="mlogc" dest=8888 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> > > > > > node=troodos.org.uk type=SYSCALL msg=audit(1270679720.128:45085): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=b62fa910 a2=4cb9a8 a3=0 items=0 ppid=937 pid=1869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
> > > > >
> > > > > The mlogc program tries to tcp network connect to port 8888, which currently is labeled with a generic port type.
> > > > >
> > > > > 1. Why is it connecting to the network?
> > > > > 2. What is listening on tcp:8888 on the other side?
> > > >
> > > > That's the Console app as described above.
> > > >
> > > > >
> > > > > We have to find some answers before we can start implementing a proper solution.
> > > >
> > > > [snip]
> > > >
> > > > > The above denials were what actually caused your issue in the first place. The only difference now is that instead of httpd_t, now mlogc_t need the access.
> > > > >
> > > > > Add the following to your mlogc.te file:
> > > > >
> > > > > pcscd_read_pub_files(mlogc_t)
> > > > >
> > > > > That should allow mlogc_t to read pcscd pid files.
> > > >
> > > > Done that - thanks..
> > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > And as I was copying the above, this one came in...
> > > > > >
> > > > > > Raw Audit Messages :
> > > > > >
> > > > > > node=troodos.org.uk type=AVC msg=audit(1270680011.472:45102): avc: denied { dac_override } for pid=952 comm="mlogc" capability=1 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=capability
> > > > > > node=troodos.org.uk type=SYSCALL msg=audit(1270680011.472:45102): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
> > > > > >
> > > > > >
> > > > >
> > > > > The above means that root/mlogc is overriding traditional security. For example accessing a location not owned by root. We should figure out which location it is that mlogc tries to access that is not owned by root. Once we determine this, we can make the right security decision.
> > > > >
> > > > >
> > > > > Now we are getting into the harder aspect of writing policy.
> > > > > Writing a template for a new domain and just allowing access is not so hard.
> > > > > What is harder is: making solid security decisions.
> > > > >
> > > > >
> > > > > What is it doing
> > > > > why is it doing it
> > > > > who is doing it to who
> > > > > Is this a threat
> > > > > why is it a threat
> > > > > how can we neutralize it?
> > > > >
> > > > > fun!
> > > >
> > > > For you maybe ;)
> > > >
> > > > OK - I hope the above helps...
> > > >
> > > > By the way since my last message I have had another 71 AVcs - too many
> > > > to post, and doubtless many duplicates, but here is what audit2allow has
> > > > to say about them:
> > > >
> > > > # ausearch -m AVC -ts today | audit2allow -R
> > > >
> > > > require {
> > > > type mlogc_t;
> > > > type httpd_t;
> > > > class capability { sys_nice dac_override };
> > > > class process { setsched signal getsched };
> > > > class sem { read write create unix_write destroy };
> > > > }
> > > >
> > > > #============= httpd_t ==============
> > > > allow httpd_t mlogc_t:process signal;
> > >
> > > Ignore this for now, we might add it later.
> > >
> > > >
> > > > #============= mlogc_t ==============
> > > > allow mlogc_t self:capability { sys_nice dac_override };
> > >
> > > Did you figure out which location not owned by root mlogc is trying to access?
> > > For the moment lets ignore these.
> > >
> > > > allow mlogc_t self:process { setsched getsched };
> > >
> > > The above can be added to mlogc.te
> > >
> > > > allow mlogc_t self:sem { read write create unix_write destroy };
> > >
> > > Ignore for now
> > >
> > > > files_rw_etc_files(mlogc_t)
>
> The files_rw_etc_files(mlogc_t) is bad, if you added it, please remove it
Nope. You didn't tell me to add it so I didn't. I only do what I'm
told ;)
>
> instead add the following to mlogc.te:
>
> type mlogc_etc_t;
> files_config_file(mlogc_etc_t)
> read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
> files_search_etc(mlogc_t)
Done.
> And add to mlogc.fc:
>
> /etc/mlogc.conf -- gen_context(system_u:object_r:mlogc_etc_t, s0)
Done.
> > Having done all that (including moving mlogc back to /var/log/mlogc)
> > these are the current AVCs (18 of them) since making the above changes:
> >
> > # ausearch -m AVC -ts recent | audit2allow -R
> >
> > require {
> > type var_log_t;
> > type httpd_log_t;
> > type pcscd_t;
> > type httpd_t;
> > type mlogc_t;
> > class capability dac_override;
> > class unix_stream_socket connectto;
> > class sem { read write unix_write };
> > class file { write rename unlink };
> > class dir create;
> > }
> >
> > #============= httpd_t ==============
> > allow httpd_t httpd_log_t:file write;
> > allow httpd_t var_log_t:dir create;
>
> ignore above for now
>
> >
> > #============= mlogc_t ==============
> > allow mlogc_t httpd_log_t:file { rename unlink };
> > allow mlogc_t pcscd_t:unix_stream_socket connectto;
> > allow mlogc_t self:capability dac_override;
> > allow mlogc_t self:sem { read write unix_write };
> > corenet_tcp_connect_generic_port(mlogc_t)
>
> ignore above for now.
>
> > dev_read_urand(mlogc_t)
>
> add above to mlogc.te
Done.
> > files_list_tmp(mlogc_t)
>
> ignore above for now. need to figure out why its listing tmp, what is it hoping to list?
>
> > files_read_usr_symlinks(mlogc_t)
>
> not sure why it wants the above but its harmless, so can add it to mlogc.te for now
Done.
> > files_rw_etc_files(mlogc_t)
>
> This is a bug in audit2allow. We added proper rules above so ignore this.
>
> > miscfiles_read_certs(mlogc_t)
> > pcscd_stream_connect(mlogc_t)
>
> The above can be added to mlogc.te
Done.
OK - Let's see what that brings...
Oops:
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted mlogc module
/usr/bin/checkmodule: loading policy configuration from tmp/mlogc.tmp
mlogc.te":16:ERROR 'unknown type mlogc_etc_t' at token ';' on line 3828:
typeattribute mlogc_etc_t etcfile;
#line 16
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/mlogc.mod] Error 1
Is this the problem?
read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
2 x mlogc_etc_t ? Should that be something else or just 1 x ?
Here is the current mlogc.te
# cat mlogc.te
policy_module(mlogc, 1.0.3)
type mlogc_t;
type mlogc_exec_t;
type mlogc_var_log_t;
logging_log_file(mlogc_var_log_t);
logging_log_filetrans(mlogc_t, mlogc_var_log_t, { dir file })
application_domain(mlogc_t, mlogc_exec_t);
role system_r types mlogc_t;
permissive mlogc_t;
manage_dirs_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
manage_files_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
files_search_etc(mlogc_t)
files_config_file(mlogc_etc_t)
files_read_usr_symlinks(mlogc_t)
pcscd_read_pub_files(mlogc_t);
pcscd_stream_connect(mlogc_t)
miscfiles_read_localization(mlogc_t)
miscfiles_read_certs(mlogc_t)
dev_read_urand(mlogc_t)
#apache_manage_log(mlogc_t);
allow mlogc_t self:tcp_socket create_socket_perms;
allow mlogc_t self:udp_socket create_socket_perms;
allow mlogc_t self:netlink_route_socket create_netlink_socket_perms;
allow mlogc_t self:process { setsched getsched };
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100408/4c137f16/attachment.bin
More information about the selinux
mailing list