Mod-security (mlogc) problem

Dominick Grift domg472 at gmail.com
Wed Apr 7 22:20:50 UTC 2010 

On Wed, Apr 07, 2010 at 11:01:53PM +0100, Arthur Dent wrote:
> On Wed, 2010-04-07 at 23:35 +0200, Dominick Grift wrote:
> 
> > 
> > Yes looks fine. try the following myapache.te instead:
> > 
> > policy_module(myapache, 1.0.0)
> > gen_require(`
> > type httpd_t;
> > ')
> > mlogc_domtrans(httpd_t)
> > 
> > build, install
> > 
> > make -f /usr/share/selinux/devel/Makefile
> > sudo semodule -i *.pp
> 
> OK - Caused a mere 16 AVCs (admittedly in permissive mode):

Alright we are on the right track now. the mlogc process runs in its own mlogc domain.
Now to add some more policy to mlogc.te

see comments below:

> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677188.484:44958): avc: denied { remove_name } for pid=952 comm="mlogc" name="mlogc-queue.log" dev=sda5 ino=578431 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677188.484:44958): arch=40000003 syscall=38 success=yes exit=0 a0=84c01e8 a1=b76fd070 a2=7581e4 a3=0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677188.494:44959): avc: denied { rename } for pid=952 comm="mlogc" name="mlogc-queue.log.new" dev=sda5 ino=578432 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677188.494:44959): arch=40000003 syscall=38 success=yes exit=0 a0=b76fd170 a1=84c01e8 a2=7581e4 a3=0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 

The above access vectors should all be allowed if you add the following to your mlogc.te file:

apache_manage_log(mlogc_t)

> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677188.497:44960): avc: denied { write } for pid=952 comm="mlogc" name="mlogc-transaction.log" dev=sda5 ino=578031 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677188.497:44960): arch=40000003 syscall=194 success=yes exit=0 a0=5 a1=0 a2=0 a3=84c05c0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
>

The file mlogc-transaction.log at inode 57803 seems mislabeled. use restorecon on the file to fix its context.
 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677208.496:44961): avc: denied { unlink } for pid=952 comm="mlogc" name="mlogc-queue.log.old" dev=sda5 ino=578432 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677208.496:44961): arch=40000003 syscall=10 success=yes exit=0 a0=b76fd070 a1=84c01e8 a2=7581e4 a3=0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 

> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.661:44966): avc: denied { create } for pid=944 comm="httpd" name="20100407-2254" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=dir 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.661:44966): arch=40000003 syscall=39 success=yes exit=0 a0=24e17a8 a1=1e8 a2=80a1e4 a3=24e1748 items=0 ppid=937 pid=944 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.673:44967): avc: denied { write } for pid=944 comm="httpd" name="20100407-225414-S7z-BlIrkOUAAAOwOYMAAAAB" dev=sda5 ino=658630 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.673:44967): arch=40000003 syscall=5 success=yes exit=19 a0=24e1748 a1=8241 a2=1a0 a3=836 items=0 ppid=937 pid=944 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
> 

The access vectors above were allowed when we added apache_manage_log(mlogc_t) to our mlogc.te file.

> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.679:44968): avc: denied { setopt } for pid=1412 comm="mlogc" laddr=127.0.0.1 lport=56280 faddr=127.0.0.1 fport=8888 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=tcp_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.679:44968): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b62fa5d0 a2=3ff8550 a3=b62fa640 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
>
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.682:44969): avc: denied { write } for pid=1412 comm="mlogc" laddr=127.0.0.1 lport=56280 faddr=127.0.0.1 fport=8888 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=tcp_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.682:44969): arch=40000003 syscall=102 success=yes exit=37 a0=9 a1=b62fa560 a2=3ff8550 a3=0 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
>

The above can be allowed by adding the following to you mlogc.te file:

allow mlogc_t self:tcp_socket create_socket_perms;
 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.684:44970): avc: denied { create } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=udp_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.684:44970): arch=40000003 syscall=102 success=yes exit=7 a0=1 a1=b62fa5c0 a2=4cb9a8 a3=b577c630 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 


The above can be allowed by adding the following to your mlogc.te file:

allow mlogc_t self:udp_socket create_socket_perms;

> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(127067725d4.685:44971): avc: denied { create } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.685:44971): arch=40000003 syscall=102 success=yes exit=7 a0=1 a1=b62fa400 a2=d1eff4 a3=b62fa5e8 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.685:44972): avc: denied { bind } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.685:44972): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=b62fa400 a2=d1eff4 a3=7 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.686:44973): avc: denied { getattr } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.686:44973): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=b62fa400 a2=d1eff4 a3=7 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1270677254.686:44974): avc: denied { write } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket 
> node=troodos.org.uk type=AVC msg=audit(1270677254.686:44974): avc: denied { nlmsg_read } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1270677254.686:44974): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=b62f9330 a2=d1eff4 a3=0 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 

The above can be allowed by adding the following to your mlogc.te file:

allow mlogc_t self:netlink_route_socket create_netlink_socket_perms;


I did this quickly off the top of my head, so might be some syntax errors.

It is getting late and i am tired. I will respond to any emails tomorrow morning.

we are on the right track.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100408/969a2b0c/attachment.bin

More information about the selinux mailing list