fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Mlogc problem after aupgrade to F13

Mlogc problem after aupgrade to F13

From: Arthur Dent <misc.lists_at_nospam>
Date: Sat Aug 14 2010 - 08:06:56 GMT
To: selinux@lists.fedoraproject.org

Hello all,

Back in April Dominick Grift kindly helped me to create a new policy
module for mlogc on my Fedora11 installation.

(The original correspondence can be seen here:
http://lists.fedoraproject.org/pipermail/selinux/2010-April/012353.html)

In the last couple of days I have upgraded to F13 and, despite copying
and rebuilding the relevant policy modules, I am now getting another
raft of AVCs relating to mlogc.

To Summarise:
=============

ModSecurity Log Collector (mlogc) is used to send ModSecurity audit log
data to a console. It is installed as part of the Fedora rpm
mod_security-2.5.12-1.fc13.i686 which I installed as part of the
upgrade. The Actual Modsecurity Console (which receives the data) was
installed from source using the same tarball as was used on my F11
install.

With Dominick's help, these are the modules I created on the F11 box:

===========8<=======================================================

# cat mymlogc.te
policy_module(mymlogc, 1.0.10)

type mlogc_t;
type mlogc_exec_t;
type mlogc_var_log_t;
type mlogc_etc_t;

logging_log_file(mlogc_var_log_t);
logging_log_filetrans(mlogc_t, mlogc_var_log_t, { dir file })
application_domain(mlogc_t, mlogc_exec_t);
role system_r types mlogc_t;
# permissive mlogc_t;
manage_dirs_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
manage_files_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
files_search_etc(mlogc_t)
files_config_file(mlogc_etc_t)
files_read_usr_symlinks(mlogc_t)
files_read_etc_files(mlogc_t)
files_list_tmp(mlogc_t)
pcscd_read_pub_files(mlogc_t);
pcscd_stream_connect(mlogc_t)
miscfiles_read_localization(mlogc_t)
miscfiles_read_certs(mlogc_t)
dev_read_urand(mlogc_t)
userdom_use_user_terminals(mlogc_t)
#apache_manage_log(mlogc_t);
kernel_read_system_state(mlogc_t)

allow mlogc_t self:tcp_socket create_socket_perms;
allow mlogc_t self:udp_socket create_socket_perms;
allow mlogc_t self:netlink_route_socket create_netlink_socket_perms;
allow mlogc_t self:process { setsched getsched };
allow mlogc_t self:capability { sys_nice dac_override };
allow mlogc_t self:sem create_sem_perms;

corenet_all_recvfrom_netlabel(mlogc_t)
corenet_all_recvfrom_unlabeled(mlogc_t)
corenet_tcp_sendrecv_generic_if(mlogc_t)
corenet_tcp_sendrecv_generic_node(mlogc_t)
corenet_tcp_sendrecv_generic_port(mlogc_t)
corenet_tcp_bind_generic_node(mlogc_t)
corenet_sendrecv_generic_client_packets(mlogc_t)
corenet_tcp_connect_generic_port(mlogc_t)
===========8<=======================================================

===========8<=======================================================

# cat myapche.te
policy_module(myapache, 1.0.2)
gen_require(`
type httpd_t;
')
mlogc_domtrans(httpd_t)
mlogc_manage_log(httpd_t)
mlogc_signal(httpd_t)

===========8<=======================================================

And these are the new denials. Some worrying ones such as requiring
access to key files...

There were 12 AVCs relating to a single incident, but I have removed
ones I think are duplicates:

Raw Audit Messages :

node=troodos type=AVC msg=audit(1281734421.635:29370): avc: denied { write } for pid=3512 comm="mlogc" name="cert9.db" dev=sda6 ino=91782 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
node=troodos type=SYSCALL msg=audit(1281734421.635:29370): arch=40000003 syscall=5 success=no exit=-13 a0=b5926308 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos type=AVC msg=audit(1281734421.847:29371): avc: denied { write } for pid=3512 comm="mlogc" name="tmp" dev=sda6 ino=1549 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.847:29371): arch=40000003 syscall=33 success=no exit=-13 a0=1e6774 a1=7 a2=1fca64 a3=2 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos type=AVC msg=audit(1281734421.847:29373): avc: denied { write } for pid=3512 comm="mlogc" name="tmp" dev=sda6 ino=310 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.847:29373): arch=40000003 syscall=33 success=no exit=-13 a0=1e6778 a1=7 a2=1fca64 a3=4 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos type=AVC msg=audit(1281734421.847:29374): avc: denied { write } for pid=3512 comm="mlogc" name="/" dev=sda6 ino=2 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.847:29374): arch=40000003 syscall=33 success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos type=AVC msg=audit(1281734421.852:29376): avc: denied { write } for pid=3512 comm="mlogc" name="key4.db" dev=sda6 ino=19637 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
node=troodos type=SYSCALL msg=audit(1281734421.852:29376): arch=40000003 syscall=5 success=no exit=-13 a0=b5933cf8 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos type=AVC msg=audit(1281734421.861:29380): avc: denied { write } for pid=3512 comm="mlogc" name="/" dev=sda6 ino=2 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.861:29380): arch=40000003 syscall=33 success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null)

And this is what audit2allow makes of them...

require {
        type mlogc_t;
}

#============= mlogc_t ==============
files_delete_root_dir_entry(mlogc_t)
files_delete_tmp_dir_entry(mlogc_t)
miscfiles_manage_cert_files(mlogc_t)

Should I add these to the above policy, or is there some other way?

Thanks in advance for any help or suggestions...

Mark

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux