fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Mlogc problem after aupgrade to F13

Re: Mlogc problem after aupgrade to F13

From: Dominick Grift <domg472_at_nospam>
Date: Tue Aug 31 2010 - 21:34:09 GMT
To: selinux@lists.fedoraproject.org

On 08/31/2010 09:06 PM, Arthur Dent wrote:
> On Tue, 2010-08-31 at 20:39 +0200, Dominick Grift wrote:
>> On 08/31/2010 08:33 PM, Arthur Dent wrote:
>>> On Sat, 2010-08-14 at 10:45 +0200, Dominick Grift wrote:
>>>> On 08/14/2010 10:06 AM, Arthur Dent wrote:
>>>>
>>>>> And this is what audit2allow makes of them...
>>>>>
>>>>> require {
>>>>> type mlogc_t;
>>>>> }
>>>>>
>>>>> #============= mlogc_t ==============
>>>>> files_delete_root_dir_entry(mlogc_t)
>>>>> files_delete_tmp_dir_entry(mlogc_t)
>>>>> miscfiles_manage_cert_files(mlogc_t)
>>>>>
>>>>>
>>>>> Should I add these to the above policy, or is there some other way?
>>>>>
>>>>> Thanks in advance for any help or suggestions...
>>>>>
>>>>> Mark
>>>>>
>>>>
>>>> There are some issues:
>>>>
>>>> 1. I would go here:
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users and ask
>>>> if it is normal that mlogc writes to certificate databases. Its trying
>>>> to write to files like: cert9.db, key4.db.
>>>
>>> OK - Sorry it's taken a while to get back to this - but I had the
>>> discussion over on the mod-sec list, had to set up a strace and send the
>>> strace log.
>>>
>>> This is what Brian Rectanus had to say having analysed the strace log:
>>>
>>> ====================8<=================================================
>>>
>>> Looking at the strace logs, it first tries to open those files
>>> read/write, but cannot, so it resorts to read only access. I do not
>>> see any calls to write to those files, though:
>>>
>>> 14612 open("/etc/pki/nssdb/key4.db", O_RDWR|O_CREAT|O_LARGEFILE, 0644)
>>> = -1 EACCES (Permission denied)
>>> 14612 open("/etc/pki/nssdb/key4.db", O_RDONLY|O_LARGEFILE) = 11
>>>
>>> 14612 open("/etc/pki/nssdb/cert9.db", O_RDWR|O_CREAT|O_LARGEFILE,
>>> 0644) = -1 EACCES (Permission denied)
>>> 14612 open("/etc/pki/nssdb/cert9.db", O_RDONLY|O_LARGEFILE) = 8
>>>
>>> I imagine that those attempts at opening read/write are what is
>>> triggering selinux. This is the curl library access these files for
>>> certificate verification (via mozilla's NSS library). They are sqlite
>>> DBs. I am not sure why it is trying to access them read/write,
>>> though. It looks like NSS support was added to curl with version
>>> 7.19.7. If it is a problem (and it may be), then you will probably
>>> have to take it up with curl folks. However, they will probably tell
>>> you it is a libnss issue :)
>>>
>>> Sorry I cannot help more.
>>>
>>> -B
>>>
>>> ====================8<=================================================
>>>
>>> Well - Where does that leave me?
>>>
>>> Mark
>>>
>>>
>>>
>>
>> I guess you will have to decide for yourself whether you want to permit
>> mlogc to read and write your system certificate files.
>>
>> Try to reproduce the issue in permissive mode and enclose the AVC
>> denials so that we can extend the mlogc module.
>
> Reproducing it in permissive mode will take a little effort (I either
> have to wait for an event - not too frequent at the moment - or try to
> re-inject a previous event).
>
> In the meantime, here are the two most recent whilst in enforcing mode:
>
> Raw Audit Messages :
>
> node=troodos type=AVC msg=audit(1282523196.610:41408): avc: denied
> { write } for pid=16293 comm="mlogc" name="cert9.db" dev=sda6 ino=86078
> scontext=unconfined_u:system_r:mlogc_t:s0
> tcontext=system_u:object_r:cert_t:s0 tclass=file
> node=troodos type=SYSCALL msg=audit(1282523196.610:41408): arch=40000003
> syscall=5 success=no exit=-13 a0=b5726328 a1=8042 a2=1a4 a3=0 items=0
> ppid=14657 pid=16293 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc"
> exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos type=AVC msg=audit(1282523196.662:41409): avc: denied
> { write } for pid=16293 comm="mlogc" name="key4.db" dev=sda6 ino=86176
> scontext=unconfined_u:system_r:mlogc_t:s0
> tcontext=system_u:object_r:cert_t:s0 tclass=file
> node=troodos type=SYSCALL msg=audit(1282523196.662:41409): arch=40000003
> syscall=5 success=no exit=-13 a0=b5736680 a1=8042 a2=1a4 a3=0 items=0
> ppid=14657 pid=16293 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc"
> exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
>
> Thanks
>
> Mark
>

adding the following to your mlogc.te
miscfiles_manage_cert_files(mlogc_t) Would allow this

Then build, install mlogc.pp
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux