Mod-security (mlogc) problem

Dominick Grift domg472 at gmail.com
Fri Apr 9 15:10:39 UTC 2010 

On Fri, Apr 09, 2010 at 03:23:34PM +0100, Arthur Dent wrote:
> Hi Dominick,
> 
> I'm sorry to bother you again, but everything seems to be going just
> fine since the last lot of policy updates, so I decided to move into the
> next phase of my project.
> 
> You're going to hate me for this...
> 
> What I have is a Mod-Sec rule that detects a particular kind of attack;
> when detected it identifies the IP address of the attacker and (using
> the modsec "exec" function) passes this to a script.
> 
> During our recent exchange I was using this rule for testing, but for
> now all the script does is write the IP address into a file. (This
> worked by the way).
> 
> Now for the next part. Instead of writing it to a file I want to ban the
> IP in iptables using a feature of the fail2ban application which I also
> have running on this machine.
> 
> The script uses the following command:
> fail2ban-client set modsec banip $IP
> touch -c /var/log/httpd/modsec_audit.log
> 
> where $IP is the IP address passes from mod-sec, the "banip" is a
> argument of the fail2ban-client app which initiates a manual banning of
> the IP and "modsec" is the name of the "jail" (in fail2ban parlance) to
> be activated for this IP.
> 
> The "touch" command is necessary to trick fail2ban into thinking that
> the log file it is monitoring has been updated and thus needs to wake
> itself and take action.
> 
> Putting all this together now gives me this (single) avc when testing:
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270821681.36:50303): avc: denied { search } for pid=30224 comm="fail2ban-client" name="fail2ban" dev=sda5 ino=476186 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir 
> node=troodos.org.uk type=SYSCALL msg=audit(1270821681.36:50303): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa9b0e0 a2=b6810c a3=b76fb2c8 items=0 ppid=30222 pid=30224 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="fail2ban-client" exe="/usr/bin/python" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
> 
> How best to handle this?

I am not sure if i understand how that goes. From the avc denials above i can tell that fail2ban-client runs in the httpd_t domain. That means mlogc is not running it but some process in the httpd_t domain.

What runs the script?


> 
> I am writing this from behind the sofa, out of range of beer bottles
> hurled from the Netherlands.
> 
> Thanks!
> 
> Mark
> 
> 
> 
> 



> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100409/a45b10f5/attachment.bin

More information about the selinux mailing list