On Wed, Apr 07, 2010 at 11:01:53PM +0100, Arthur Dent wrote:
On Wed, 2010-04-07 at 23:35 +0200, Dominick Grift wrote:
>
> Yes looks fine. try the following myapache.te instead:
>
> policy_module(myapache, 1.0.0)
> gen_require(`
> type httpd_t;
> ')
> mlogc_domtrans(httpd_t)
>
> build, install
>
> make -f /usr/share/selinux/devel/Makefile
> sudo semodule -i *.pp
OK - Caused a mere 16 AVCs (admittedly in permissive mode):
Alright we are on the right track now. the mlogc process runs in its own mlogc domain.
Now to add some more policy to mlogc.te
see comments below:
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for
pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name }
for pid=952 comm="mlogc" name="mlogc-queue.log.new"
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for
pid=952 comm="mlogc" name="mlogc-queue.log.new"
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0
tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5
success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for
pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name }
for pid=952 comm="mlogc" name="mlogc-queue.log.new"
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for
pid=952 comm="mlogc" name="mlogc-queue.log.new"
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0
tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5
success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for
pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name }
for pid=952 comm="mlogc" name="mlogc-queue.log.new"
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for
pid=952 comm="mlogc" name="mlogc-queue.log.new"
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0
tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5
success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677188.484:44958): avc: denied { remove_name }
for pid=952 comm="mlogc" name="mlogc-queue.log" dev=sda5 ino=578431
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.484:44958): arch=40000003
syscall=38 success=yes exit=0 a0=84c01e8 a1=b76fd070 a2=7581e4 a3=0 items=0 ppid=937
pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677188.494:44959): avc: denied { rename } for
pid=952 comm="mlogc" name="mlogc-queue.log.new" dev=sda5 ino=578432
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0
tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.494:44959): arch=40000003
syscall=38 success=yes exit=0 a0=b76fd170 a1=84c01e8 a2=7581e4 a3=0 items=0 ppid=937
pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
The above access vectors should all be allowed if you add the following to your mlogc.te
file:
apache_manage_log(mlogc_t)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677188.497:44960): avc: denied { write } for
pid=952 comm="mlogc" name="mlogc-transaction.log" dev=sda5 ino=578031
scontext=unconfined_u:system_r:mlogc_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.497:44960): arch=40000003
syscall=194 success=yes exit=0 a0=5 a1=0 a2=0 a3=84c05c0 items=0 ppid=937 pid=952
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
The file mlogc-transaction.log at inode 57803 seems mislabeled. use restorecon on the file
to fix its context.
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677208.496:44961): avc: denied { unlink } for
pid=952 comm="mlogc" name="mlogc-queue.log.old" dev=sda5 ino=578432
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0
tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677208.496:44961): arch=40000003
syscall=10 success=yes exit=0 a0=b76fd070 a1=84c01e8 a2=7581e4 a3=0 items=0 ppid=937
pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.661:44966): avc: denied { create } for
pid=944 comm="httpd" name="20100407-2254"
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0
tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.661:44966): arch=40000003
syscall=39 success=yes exit=0 a0=24e17a8 a1=1e8 a2=80a1e4 a3=24e1748 items=0 ppid=937
pid=944 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.673:44967): avc: denied { write } for
pid=944 comm="httpd" name="20100407-225414-S7z-BlIrkOUAAAOwOYMAAAAB"
dev=sda5 ino=658630 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.673:44967): arch=40000003 syscall=5
success=yes exit=19 a0=24e1748 a1=8241 a2=1a0 a3=836 items=0 ppid=937 pid=944
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
The access vectors above were allowed when we added apache_manage_log(mlogc_t) to our
mlogc.te file.
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.679:44968): avc: denied { setopt } for
pid=1412 comm="mlogc" laddr=127.0.0.1 lport=56280 faddr=127.0.0.1 fport=8888
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0
tclass=tcp_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.679:44968): arch=40000003
syscall=102 success=yes exit=0 a0=e a1=b62fa5d0 a2=3ff8550 a3=b62fa640 items=0 ppid=937
pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.682:44969): avc: denied { write } for
pid=1412 comm="mlogc" laddr=127.0.0.1 lport=56280 faddr=127.0.0.1 fport=8888
scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0
tclass=tcp_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.682:44969): arch=40000003
syscall=102 success=yes exit=37 a0=9 a1=b62fa560 a2=3ff8550 a3=0 items=0 ppid=937 pid=1412
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
The above can be allowed by adding the following to you mlogc.te file:
allow mlogc_t self:tcp_socket create_socket_perms;
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.684:44970): avc: denied { create } for
pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0
tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=udp_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.684:44970): arch=40000003
syscall=102 success=yes exit=7 a0=1 a1=b62fa5c0 a2=4cb9a8 a3=b577c630 items=0 ppid=937
pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
The above can be allowed by adding the following to your mlogc.te file:
allow mlogc_t self:udp_socket create_socket_perms;
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(127067725d4.685:44971): avc: denied { create } for
pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0
tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.685:44971): arch=40000003
syscall=102 success=yes exit=7 a0=1 a1=b62fa400 a2=d1eff4 a3=b62fa5e8 items=0 ppid=937
pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.685:44972): avc: denied { bind } for
pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0
tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.685:44972): arch=40000003
syscall=102 success=yes exit=0 a0=2 a1=b62fa400 a2=d1eff4 a3=7 items=0 ppid=937 pid=1412
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.686:44973): avc: denied { getattr } for
pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0
tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.686:44973): arch=40000003
syscall=102 success=yes exit=0 a0=6 a1=b62fa400 a2=d1eff4 a3=7 items=0 ppid=937 pid=1412
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1270677254.686:44974): avc: denied { write } for
pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0
tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=AVC msg=audit(1270677254.686:44974): avc: denied { nlmsg_read }
for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0
tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.686:44974): arch=40000003
syscall=102 success=yes exit=20 a0=b a1=b62f9330 a2=d1eff4 a3=0 items=0 ppid=937 pid=1412
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
The above can be allowed by adding the following to your mlogc.te file:
allow mlogc_t self:netlink_route_socket create_netlink_socket_perms;
I did this quickly off the top of my head, so might be some syntax errors.
It is getting late and i am tired. I will respond to any emails tomorrow morning.
we are on the right track.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux