Mod-security (mlogc) problem

Dominick Grift domg472 at gmail.com
Wed Apr 7 20:26:09 UTC 2010 

On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > Hello all,
> > > 
> > > I believe in a multi-layered approach towards security, so as well as
> > > SELinux I use Mod-Security to protect the web server on my F11 machine.
> > > 
> > > Recently I started using the ModSecurity Community Console to analyse
> > > the mod-security denials. This requires using the mlogc logging
> > > application that comes bundled with the mod_security-2.5.12-1.fc11.i586
> > > package.
> > > 
> > > Now every time a mod-security denial is triggered I get 3 SEL AVCs
> > > (currently in permissive mode while I sort this out). They say:
> > > 
> > > SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> > > If you want to change the file context of /var/run/pcscd.pid so that the
> > > httpd daemon can access it, you need to execute it using chcon -t
> > > httpd_sys_content_t '/var/run/pcscd.pid'.
> > > 
> > > A similar one for /var/run/pcsd.pub
> > > 
> > > and then one for:
> > > SELinux is preventing the mlogc from using potentially mislabeled files
> > > 636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t). 
> > > 
> > > (Actual AVCs below)
> > > 
> > > If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
> > > recommended by sealert I only get the one with the strange filename each
> > > time I get a mod-sec alert. However, now of course I get this:
> > > 
> > > SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
> > > (and another one for .pid)
> > > 
> > > So I need to put the file context back to what it was using
> > > restorecon....
> > > 
> > > Audit2allow suggests this:
> > > 
> > > require {
> > > 	type auth_cache_t;
> > > 	type httpd_t;
> > > 	type pcscd_var_run_t;
> > > 	class file { read write getattr open };
> > > }
> > > 
> > > #============= httpd_t ==============
> > > allow httpd_t auth_cache_t:file { read write };
> > > allow httpd_t pcscd_var_run_t:file { read getattr open };
> > > 
> > > What do you think is the best solution to this problem?
> > > 
> > > Thanks in advance for any help or suggestions...
> > 
> > To create a new policy module for mlogc:
> > 
> > Create a work directory (~/mywork) and go there to do your work: cd ~/mywork
> > touch 3 files that will be our mlogc source policy module (touch mlogc.te mlogc.if mlogc.fc)
> > The .te file is for policy local to mlogc, the .if file has policy that other parties can call when they want to interact with mlogc, and the .fc file has file context specifications for mlogc.
> > 
> > So lets start why declaring some types for mlogc, make those types usable and specify and file contexts that we know are required.
> > 
> > Declare a new policy module in mlogc.te:
> > 
> > policy_module(mlogc, 1.0.0)
> > 
> > New we need to declare a type for the mlogc process and a type for the mlogc executable file. We make those types a usable application domain by calling the application_domain interface in mlogc.te:
> > 
> > type mlogc_t;
> > type mlogc_exec_t;
> > application_domain(mlogc_t, mlogc_exec_t)
> > 
> > Now lets specify the file context for the mlogc executable file in mlogc.fc:
> > 
> > /usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t, s0)
> > 
> > Next we should define some policy that facilitates interaction with mlogc for other domains. httpd_t executes the mlogc executable file and we could facilitate policy that allows in this case apache to domain transition to our mlogc_t domain. We do this in the mlogc.if.
> > 
> > We call these shared policy blocks interfaces and they are heavily commented. These comments can be parsed. for example: make html. The comments describe the functionality of the policy, and how it should be called.
> > 
> > First we add a description to the mlogc.if file:
> > 
> > ## <summary>The ModSecurity Log Collector</summary>
> > 
> > Next we add the shared policy that can be called if other domain want to domain transition to mlogc_t in mlogc.if:
> > 
> > ########################################
> > ## <summary>
> > ##	Execute MLOGC in the MLOGC domain.
> > ## </summary>
> > ## <param name="domain">
> > ##	<summary>
> > ##	Domain allowed access.
> > ##	</summary>
> > ## </param>
> > #
> > interface(`mlogc_domtrans',`
> > 	gen_require(`
> > 		type mlogc_t, mlogc_exec_t;
> > 	')
> > 
> > 	corecmd_search_bin($1)
> > 	domtrans_pattern($1, mlogc_exec_t, mlogc_t)
> > ')
> > 
> > Now we have a solid foundation for our new mlogc policy.
> > 
> > Now httpd_t should call the mlogc_domtrans interface so that it can domain transition when it runs mlogc.
> > Since we are not working in the main policy package we should create a patch (custom module the extends the apache module) so that we can call this interface for httpd_t.
> > 
> > touch a file myapache.te and add the following:
> > 
> > policy_module(myapache, 1.0.0)
> > optional_policy(`
> > 	gen_require(`
> > 		type httpd_t;
> > 	')
> > 
> > 	mlogc_domtrans(httpd_t)
> > ')
> > 
> > The optional_policy tag makes it so that this module does not depend on either the apache module and our mlogc module. The gen_require tag borrows a type that we use and that is not local to our module. The httpd_t type is not delcared in our myapache.te file. We borrow it from the existing apache module.
> > 
> > Now we have two source policy modules: mlogc and myapache.
> > 
> > There are a couple more things we need to take care of. In mlogc.te we should append the following:
> > 
> > role system_r types mlogc_t;
> > 
> > Apache is a system service. System services use the system_r role. Roles are used for RBAC or role based access control. Without going into details we just allowed the system_r role to be used with the mlogc_t domain.
> > 
> > Since our policy module does not actually have much policy yet it must be tested first. We can make our new clogd_t domain permissive (exempted from SELinux enforcement but SELinux will still log any access mlogc_t requires and that is currently not allowed) in mlogc.te append the following:
> > 
> > permissive mlogc_t;
> > 
> > We must remove this line once we are done testing and refining our module.
> > 
> > Now we can try to build binary representations of our two new modules by running the following command:
> > 
> > make -f /usr/share/selinux/devel/Makefile
> > 
> > if all goes well , then two files with the .pp extension are created: myapache.pp and mlogc.pp
> > 
> > We should now load these two binary policies with the following command:
> > 
> > sudo semodule -i *.pp
> > 
> > Next we must run the restorecon command on /usr/bin/mlogc. So that our new file context specification for this location can we applied. We can use the -v option to make it verbose.
> > 
> > sudo restorecon -v /usr/bin/mlogc
> > 
> > Now when you list its attirbutes (ls -alZ /usr/bin/mlogc) you should see our type mlogc_exec_t.
> > 
> > Time for testing. httpd_t should be allowed to run mlogc in the mlogc_t domain and currently mlogc_t is a permissive domain, thus mlogc_t should be able to have any access wrt to SELinux. Any "would be denials" are logged to /var/log/audit/audit.log. We can use these denials to extend our mlogc_t domain.
> > 
> > So test the app a couple times and collect AVC denials. If you run the AVC denials through audit2allow with the -R option , then audit2allow with try to find suitable interfaces to call where applicable. If you use audit2allow without the -R option , then audit2allow will only translate AVC denials into human readible policy.
> > 
> > Proper policy requires that you only use interface calls in your policy except when the target in an particular interaction is local to the module (if the target type is declared in the module)
> > 
> > But this goes beyond the scope of this explanation. You can just paste the output of audit2allow -R into the mlogc.te file and rebuild the source, then reinstall the module(s)
> > 
> > make -f /usr/share/selinux/devel/Makefile
> > sudo semodule -i *.pp
> > 
> > After a few runs when no more AVC denials appear in audit.log for mlogc_t, then you can remove the permissive declaration from the mlogc.te file (permissive mlogc_t;)
> > 
> > Then rebuild and reinstall the module.
> > 
> > By now mlogc should be confined and working.
> > 
> >  
> > Disclaimer: I might have missed some important parts. I might have made mistakes. Try at your own risk
> > To undo the policy modules:
> > 
> > sudo semodule -r mlocg myapache
> > restorecon -v /usr/bin/mlogc
> > 
> > hth
> 
> WOW! That is so helpful - Thank you! After your first message I was just
> googling to try to find out how to create a domain transition - just
> about to give up and ask when this post came in... Thanks for going to
> so much trouble.
> 
> I followed your instructions exactly and everything seemed to work as
> intended.
> 
> I have to say however that on testing I get 3 AVCs (see below), just as
> before!...
> 
> Have I missed something or misunderstood something?

Yes it seems that the domain transition did not happen. are the modules installed:

semodule -l | grep myapache
semodule -l | grep mlogc

Is the context of mlogc executable file proper?

ls -alZ /usr/bin/mlogc

Something seems to have gone not as planned

> 
> Based on these 3 AVCs audit2allow -R produces the following:
> 
> ######################################
> require {
> 	type httpd_t;
> }
> 
> #============= httpd_t ==============
> pcscd_read_pub_files(httpd_t)
> 
> ######################################
> 
> Is that what you would expect?
> 
> 
> Thanks again for your help...
> 
> Mark
> 
> 
> Most recent AVCs
> ================
> 
> Raw Audit Messages :
l> 
> node=troodos.org.uk type=AVC msg=audit(1270666306.338:44518): avc: denied { getattr } for pid=32012 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270666306.338:44518): arch=40000003 syscall=195 success=yes exit=0 a0=1fc5ab a1=b643f9ac a2=d1eff4 a3=3 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { read } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { open } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270666306.342:44519): arch=40000003 syscall=5 success=yes exit=13 a0=1fc8ea a1=0 a2=1b6 a3=1fc8e8 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { read } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { open } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270666306.342:44519): arch=40000003 syscall=5 success=yes exit=13 a0=1fc8ea a1=0 a2=1b6 a3=1fc8e8 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
> 
> 



> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100407/96fc7fa7/attachment-0001.bin

More information about the selinux mailing list