Mod-security (mlogc) problem

Dominick Grift domg472 at gmail.com
Thu Apr 8 17:35:24 UTC 2010 

On Thu, Apr 08, 2010 at 06:15:37PM +0100, Arthur Dent wrote:
> On Thu, 2010-04-08 at 18:10 +0200, Dominick Grift wrote:
> 
> > Alright lets try and wrap this up. 
> 
> [snipped lots of stuff to wrap things up]
> 
> Well Dominick, I triggered a Mod-Sec alert nearly 20 minutes ago and so
> far (touching wood here) there are no reported AVCs!
> 
> Thank you so much for all the effort you put into this. I realise that
> this in in addition to your daily workload so I am full of gratitude.
> 
> Feeling guilty that I have consumed so much of your time rather
> selfishly, I was wondering if this work could be used by other than just
> me?
> 
> Although the ModSecurity-Console is is not from a Fedora RPM, a large
> part of what we (you) dealt with is the interaction between mod-security
> and mlogc, which (in my case at least) were installed from Fedora RPMs.
> 
> I don't know if the package maintainer for that RPM is on this list, but
> could this policy be applied to that package? Or could some of this find
> its way into general SEL policy?

I am not sure if submitting this upstream will result in adoption.

But this thread serves as an example for other to gain some insight in policy development fundamentals in the maillist archives. So other then that i was able to help you it was also worth my while from that point of view.

Besides i like doing this, and so i enjoyed it.

SELinux is a framework and policy is configuration data. Writing policy could be like maintaining an iptables configuration albeit a bit more complex.

So policy is often a matter of personal preference and often there is no one size fits all.

So i will leave the decision about whether or not to share the policy forward or submit it upstream to you.
> 
> Anyhow...
> 
> I guess the only thing remaining (if it all stays quiet) is to remove
> the "permissive mlogc_t;" directive from mlogc.te and put the system
> back into Enforcing mode?
> 
> Thanks again?
> 
> I'm not even sure what time zone you're in, but if you're ever in London
> I'll buy you a pint!

I am in Netherlands, but i will drink one on our success. Cheers!
> 
> Cheers!
> 
> Mark
> 
> 



> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100408/98978e80/attachment.bin

More information about the selinux mailing list