Mlogc problem after aupgrade to F13

Arthur Dent misc.lists at blueyonder.co.uk
Tue Aug 31 18:33:56 UTC 2010 

On Sat, 2010-08-14 at 10:45 +0200, Dominick Grift wrote:
> On 08/14/2010 10:06 AM, Arthur Dent wrote:
> 
> > And this is what audit2allow makes of them...
> > 
> > require {
> > 	type mlogc_t;
> > }
> > 
> > #============= mlogc_t ==============
> > files_delete_root_dir_entry(mlogc_t)
> > files_delete_tmp_dir_entry(mlogc_t)
> > miscfiles_manage_cert_files(mlogc_t)
> > 
> > 
> > Should I add these to the above policy, or is there some other way?
> > 
> > Thanks in advance for any help or suggestions...
> > 
> > Mark
> > 
> 
> There are some issues:
> 
> 1. I would go here:
> https://lists.sourceforge.net/lists/listinfo/mod-security-users and ask
> if it is normal that mlogc writes to certificate databases. Its trying
> to write to files like: cert9.db, key4.db.

OK - Sorry it's taken a while to get back to this - but I had the
discussion over on the mod-sec list, had to set up a strace and send the
strace log.

This is what Brian Rectanus had to say having analysed the strace log:

====================8<=================================================

Looking at the strace logs, it first tries to open those files
read/write, but cannot, so it resorts to read only access.  I do not
see any calls to write to those files, though:

14612 open("/etc/pki/nssdb/key4.db", O_RDWR|O_CREAT|O_LARGEFILE, 0644)
= -1 EACCES (Permission denied)
14612 open("/etc/pki/nssdb/key4.db", O_RDONLY|O_LARGEFILE) = 11

14612 open("/etc/pki/nssdb/cert9.db", O_RDWR|O_CREAT|O_LARGEFILE,
0644) = -1 EACCES (Permission denied)
14612 open("/etc/pki/nssdb/cert9.db", O_RDONLY|O_LARGEFILE) = 8

I imagine that those attempts at opening read/write are what is
triggering selinux.  This is the curl library access these files for
certificate verification (via mozilla's NSS library).  They are sqlite
DBs.  I am not sure why it is trying to access them read/write,
though.  It looks like NSS support was added to curl with version
7.19.7.  If it is a problem (and it may be), then you will probably
have to take it up with curl folks.  However, they will probably tell
you it is a libnss issue :)

Sorry I cannot help more.

-B

====================8<=================================================

Well - Where does that leave me?

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100831/db3a48ab/attachment.bin

More information about the selinux mailing list