Mod-security (mlogc) problem

Thu Apr 8 16:10:06 UTC 2010

On Thu, Apr 08, 2010 at 04:53:59PM +0100, Arthur Dent wrote:
> On Thu, 2010-04-08 at 17:24 +0200, Dominick Grift wrote:
> 
> > > When I switched back to /var/log/ I forgot to redo the restorecon.
> > > Sorry. Is that the reason?
> > 
> > May well be , yes .
> > see if you can reproduce.
> > also restorecon /etc/mlogc.conf
> 
> OK - With all that done, here are the latest AVCs:
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740296.844:47355): avc: denied { dac_override } for pid=10883 comm="mlogc" capability=1 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=capability 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740296.844:47355): arch=40000003 syscall=5 success=yes exit=6 a0=b772f170 a1=82c1 a2=1b6 a3=856 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { unix_write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem 
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { read write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740436.982:47360): arch=40000003 syscall=117 success=yes exit=0 a0=1 a1=698012 a2=1 a3=0 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { unix_write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem 
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { read write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740436.982:47360): arch=40000003 syscall=117 success=yes exit=0 a0=1 a1=698012 a2=1 a3=0 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mlogc_var_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> 
> # ausearch -m AVC -ts recent | audit2allow -R
> 
> require {
> 	type mlogc_var_log_t;
> 	type mlogc_t;
> 	type httpd_t;
> 	class capability dac_override;
> 	class sem { read write unix_write };
> 	class dir { write create add_name };
> 	class file { write create };
> }
> 
> #============= httpd_t ==============
> allow httpd_t mlogc_var_log_t:dir { write create add_name };
> allow httpd_t mlogc_var_log_t:file { write create };

Alright lets try and wrap this up. So heat mod_security(httpd_t) wants to manage mlogc log files.
We (mlogc) should facilitate this interaction.

That means we should create an "mlogc_manage_log" interface in our mlogc.if file, and call that interface for httpd_t in our myapache.te file.

I am going to ignore the fact that it is writing to the logfile. This might be a bug in mod_security or mlogc but we'll just allow it.

Add this to mlogc.if:

########################################
## <summary>
##	Manage mlogc log content.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mlogc_manage_log',`
	gen_require(`
		type mlogc_var_log_t;
	')

	logging_search_logs($1)
	manage_dirs_pattern($1, mlogc_var_log_t, mlogc_var_log_t)
	manage_files_pattern($1, mlogc_var_log_t, mlogc_var_log_t)
	read_lnk_files_pattern($1, mlogc_var_log_t, mlogc_var_log_t)
')

Next: in myapache.te call the interface for httpd_t:

mlogc_manage_log(httpd_t)

> 
> #============= mlogc_t ==============
> allow mlogc_t self:capability dac_override;
> allow mlogc_t self:sem { read write unix_write };

Add the following to mlogc.te:

allow mlogc_t self:capability { sys_nice dac_override };
allow mlogc_t self:sem rw_sem_perms;

> [root at troodos mlogc]# restorecon /etc/mlogc.conf
> 
> 

We still havent figured out why it needs dac_override but oh well..
Also seems it does not want to list /tmp anymore?

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100408/8ae3e575/attachment.bin 