FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-08-2010, 03:04 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Thu, Apr 08, 2010 at 03:50:17PM +0100, Arthur Dent wrote:
> On Thu, 2010-04-08 at 16:09 +0200, Dominick Grift wrote:
>
> > > Done all that...
> >
> > I hope you noticed the typo i made here:
> >
> > was:
> > logging_log_file(mlogc_var_log_t;
> >
> > should be:
> > logging_log_file(mlogc_var_log_t)
>
> Yes, I caught that one. By the way, is a semicolon required after every
> line?
>
> >
> > >
> > > > > I think most of that is self-explanatory. Note especially the ConsoleURI
> > > > > "https://127.0.0.1:8888/rpc/auditLogReceiver" directive. This punts the
> > > > > alerts into the Console which listens on port 8888, and this is the
> > > > > answer to one of your later questions.
> > > >
> > > > I think we should also confine this "server". Which package includes this? what is the name/location of the executable file for this service?
> > >
> > > OK - It's called modsecurity-console and it's located in /usr/local/bin
> > > - but it's actually linked to /opt
> >
> > What runs it? You the user or is it an init daemon.
>
> Yes, at the moment I start it manually or with a cron job
> (@reboot /usr/local/bin/modsecurity-console start) although i was
> planning to make an init.d script for it given time..

We should (in time) figure out a proper solution. In your configuration, you may be able to bind tcp sockets to ports but in a strictly enforced SELinux environment users may not do that, thus it would not be allowed to listen on those ports unless policy was written for it that allows it.

But i do not want to overwhelm you at this moment and so in my previous message i added policy that allows mlogc_t to connect to any generic tcp port types.

>
> >
> > Since it is using odd paths i asume there is no redhat rpm?
>
> No, This is an RPM, but from Breach Security - the authors. I also
> installed it from source previously.
>
> > >
> > > # ll /usr/local/bin/modsecurity-console
> > > lrwxrwxrwx. 1 root root 44 2010-04-04 11:23 /usr/local/bin/modsecurity-console -> /opt/modsecurity-console/modsecurity-console
> > >
> > > > >
> > > > > Note however that I am also experimenting with another Console app (also
> > > > > Java based, which does exactly the same thing in the same way) but in
> > > > > this case listens on port 8443.
> > > > >
> > > > > >
> > > > > > I am think about creating a file type transition from the generic log files type or httpd log files type to a mlogc log files type to be created by us.
> > > > > > This will benefit security as:
> > > > > >
> > > > > > 1. Hopefully mlogc_t will no longer need to manage files with type httpd_log_t.
> > > > > > 2. httpd_t (mod_security) will no longer need to create directories wuth type httpd_log_t and will no longer need to write to files with type httpd_log_t.
> > > > > >
> > > > > > We must try to find the best solution to the above securities issue so again: two questions:
> > > > > >
> > > > > > 1. does mod_security (mayve its configuration file) allow us to specify a location to store mod_security log files?
> > > > > > 2. if the answer to 1. is no, then can you tell me which directories in /var/log/httpd are used (owned) by mod_security for logging?
> > > > >
> > > > > The answer to 1 is yes as you can see above.
> > > > > >
> > > > > > > Raw Audit Messages :
> > > > > > >
> > > > > > > node=troodos.org.uk type=AVC msg=audit(1270679720.128:45085): avc: denied { name_connect } for pid=1869 comm="mlogc" dest=8888 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
> > > > > > > node=troodos.org.uk type=SYSCALL msg=audit(1270679720.128:45085): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=b62fa910 a2=4cb9a8 a3=0 items=0 ppid=937 pid=1869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
> > > > > >
> > > > > > The mlogc program tries to tcp network connect to port 8888, which currently is labeled with a generic port type.
> > > > > >
> > > > > > 1. Why is it connecting to the network?
> > > > > > 2. What is listening on tcp:8888 on the other side?
> > > > >
> > > > > That's the Console app as described above.
> > > > >
> > > > > >
> > > > > > We have to find some answers before we can start implementing a proper solution.
> > > > >
> > > > > [snip]
> > > > >
> > > > > > The above denials were what actually caused your issue in the first place. The only difference now is that instead of httpd_t, now mlogc_t need the access.
> > > > > >
> > > > > > Add the following to your mlogc.te file:
> > > > > >
> > > > > > pcscd_read_pub_files(mlogc_t)
> > > > > >
> > > > > > That should allow mlogc_t to read pcscd pid files.
> > > > >
> > > > > Done that - thanks..
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > And as I was copying the above, this one came in...
> > > > > > >
> > > > > > > Raw Audit Messages :
> > > > > > >
> > > > > > > node=troodos.org.uk type=AVC msg=audit(1270680011.472:45102): avc: denied { dac_override } for pid=952 comm="mlogc" capability=1 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=capability
> > > > > > > node=troodos.org.uk type=SYSCALL msg=audit(1270680011.472:45102): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > The above means that root/mlogc is overriding traditional security. For example accessing a location not owned by root. We should figure out which location it is that mlogc tries to access that is not owned by root. Once we determine this, we can make the right security decision.
> > > > > >
> > > > > >
> > > > > > Now we are getting into the harder aspect of writing policy.
> > > > > > Writing a template for a new domain and just allowing access is not so hard.
> > > > > > What is harder is: making solid security decisions.
> > > > > >
> > > > > >
> > > > > > What is it doing
> > > > > > why is it doing it
> > > > > > who is doing it to who
> > > > > > Is this a threat
> > > > > > why is it a threat
> > > > > > how can we neutralize it?
> > > > > >
> > > > > > fun!
> > > > >
> > > > > For you maybe
> > > > >
> > > > > OK - I hope the above helps...
> > > > >
> > > > > By the way since my last message I have had another 71 AVcs - too many
> > > > > to post, and doubtless many duplicates, but here is what audit2allow has
> > > > > to say about them:
> > > > >
> > > > > # ausearch -m AVC -ts today | audit2allow -R
> > > > >
> > > > > require {
> > > > > type mlogc_t;
> > > > > type httpd_t;
> > > > > class capability { sys_nice dac_override };
> > > > > class process { setsched signal getsched };
> > > > > class sem { read write create unix_write destroy };
> > > > > }
> > > > >
> > > > > #============= httpd_t ==============
> > > > > allow httpd_t mlogc_trocess signal;
> > > >
> > > > Ignore this for now, we might add it later.
> > > >
> > > > >
> > > > > #============= mlogc_t ==============
> > > > > allow mlogc_t self:capability { sys_nice dac_override };
> > > >
> > > > Did you figure out which location not owned by root mlogc is trying to access?
> > > > For the moment lets ignore these.
> > > >
> > > > > allow mlogc_t selfrocess { setsched getsched };
> > > >
> > > > The above can be added to mlogc.te
> > > >
> > > > > allow mlogc_t self:sem { read write create unix_write destroy };
> > > >
> > > > Ignore for now
> > > >
> > > > > files_rw_etc_files(mlogc_t)
> >
> > The files_rw_etc_files(mlogc_t) is bad, if you added it, please remove it
>
> Nope. You didn't tell me to add it so I didn't. I only do what I'm
> told
>
> >
> > instead add the following to mlogc.te:
> >
> > type mlogc_etc_t;
> > files_config_file(mlogc_etc_t)
> > read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
> > files_search_etc(mlogc_t)
>
> Done.
>
> > And add to mlogc.fc:
> >
> > /etc/mlogc.conf -- gen_context(system_ubject_r:mlogc_etc_t, s0)
>
> Done.
>
>
> > > Having done all that (including moving mlogc back to /var/log/mlogc)
> > > these are the current AVCs (18 of them) since making the above changes:
> > >
> > > # ausearch -m AVC -ts recent | audit2allow -R
> > >
> > > require {
> > > type var_log_t;
> > > type httpd_log_t;
> > > type pcscd_t;
> > > type httpd_t;
> > > type mlogc_t;
> > > class capability dac_override;
> > > class unix_stream_socket connectto;
> > > class sem { read write unix_write };
> > > class file { write rename unlink };
> > > class dir create;
> > > }
> > >
> > > #============= httpd_t ==============
> > > allow httpd_t httpd_log_t:file write;
> > > allow httpd_t var_log_t:dir create;
> >
> > ignore above for now
> >
> > >
> > > #============= mlogc_t ==============
> > > allow mlogc_t httpd_log_t:file { rename unlink };
> > > allow mlogc_t pcscd_t:unix_stream_socket connectto;
> > > allow mlogc_t self:capability dac_override;
> > > allow mlogc_t self:sem { read write unix_write };
> > > corenet_tcp_connect_generic_port(mlogc_t)
> >
> > ignore above for now.
> >
> > > dev_read_urand(mlogc_t)
> >
> > add above to mlogc.te
>
> Done.
>
> > > files_list_tmp(mlogc_t)
> >
> > ignore above for now. need to figure out why its listing tmp, what is it hoping to list?
> >
> > > files_read_usr_symlinks(mlogc_t)
> >
> > not sure why it wants the above but its harmless, so can add it to mlogc.te for now
>
> Done.
>
> > > files_rw_etc_files(mlogc_t)
> >
> > This is a bug in audit2allow. We added proper rules above so ignore this.
> >
> > > miscfiles_read_certs(mlogc_t)
> > > pcscd_stream_connect(mlogc_t)
> >
> > The above can be added to mlogc.te
>
> Done.
>
>
> OK - Let's see what that brings...
>
> Oops:
> # make -f /usr/share/selinux/devel/Makefile
> Compiling targeted mlogc module
> /usr/bin/checkmodule: loading policy configuration from tmp/mlogc.tmp
> mlogc.te":16:ERROR 'unknown type mlogc_etc_t' at token ';' on line 3828:
> typeattribute mlogc_etc_t etcfile;
> #line 16
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/mlogc.mod] Error 1
>
> Is this the problem?
> read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
> 2 x mlogc_etc_t ? Should that be something else or just 1 x ?
>
> Here is the current mlogc.te
>
> # cat mlogc.te
> policy_module(mlogc, 1.0.3)
>
> type mlogc_t;
> type mlogc_exec_t;
> type mlogc_var_log_t;
>
> logging_log_file(mlogc_var_log_t);
> logging_log_filetrans(mlogc_t, mlogc_var_log_t, { dir file })
> application_domain(mlogc_t, mlogc_exec_t);
> role system_r types mlogc_t;
> permissive mlogc_t;
> manage_dirs_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
> manage_files_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
> read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
> files_search_etc(mlogc_t)
> files_config_file(mlogc_etc_t)
> files_read_usr_symlinks(mlogc_t)
> pcscd_read_pub_files(mlogc_t);
> pcscd_stream_connect(mlogc_t)
> miscfiles_read_localization(mlogc_t)
> miscfiles_read_certs(mlogc_t)
> dev_read_urand(mlogc_t)
> #apache_manage_log(mlogc_t);
>
> allow mlogc_t self:tcp_socket create_socket_perms;
> allow mlogc_t self:udp_socket create_socket_perms;
> allow mlogc_t self:netlink_route_socket create_netlink_socket_perms;
> allow mlogc_t selfrocess { setsched getsched };
>
>
>
>
>



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 03:08 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Thu, 2010-04-08 at 16:41 +0200, Dominick Grift wrote:

> >
> > Having done all that (including moving mlogc back to /var/log/mlogc)
> > these are the current AVCs (18 of them) since making the above
changes:
> >
> > # ausearch -m AVC -ts recent | audit2allow -R
> >
> > require {
> > type var_log_t;
> > type httpd_log_t;
> > type pcscd_t;
> > type httpd_t;
> > type mlogc_t;
> > class capability dac_override;
> > class unix_stream_socket connectto;
> > class sem { read write unix_write };
> > class file { write rename unlink };
> > class dir create;
> > }
> >
> > #============= httpd_t ==============
> > allow httpd_t httpd_log_t:file write;
> > allow httpd_t var_log_t:dir create;
>
> As for above. Make sure that file in question is labelled properly.
Again httpd_t should not need to write to its log files. Neither should
mod_security. I also have mod_security running on a server and it does
not need to
> write to log files (only append)
>
> So we may end up silencing that denial.
>
> As for httpd_t creating a dir in /var/log: I would like to see the
denial. I was expecting mlogc to create
> /var/log/mlogc.


I think it's this one:

node=troodos.org.uk type=AVC msg=audit(1270732811.767:47066): avc: denied { create } for pid=10875 comm="httpd" name="20100408" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:var_log_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270732811.767:47066): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a70 a1=1e8 a2=84a1e4 a3=2 items=0 ppid=10852 pid=10875 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

But if that's related to a labelling issue I just done a restorecon
on /var/log/ and I got a ton of these:

# restorecon -Rv /var/log/
restorecon reset /var/log/mlogc context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
restorecon reset /var/log/mlogc/data context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
restorecon reset /var/log/mlogc/data/20100321 context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
... Hundreds more
restorecon reset /var/log/mlogc/data/20100326/20100326-1322 context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
restorecon reset /var/log/mlogc/mlogc-error.log context system_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
restorecon reset /var/log/mlogc/mlogc-transaction.log context system_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
restorecon reset /var/log/fail2ban.log.1 context system_ubject_r:fail2ban_log_t:s0->system_ubject_r:var_log_t:s0

When I switched back to /var/log/ I forgot to redo the restorecon.
Sorry. Is that the reason?
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 03:24 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Thu, Apr 08, 2010 at 04:08:46PM +0100, Arthur Dent wrote:
> On Thu, 2010-04-08 at 16:41 +0200, Dominick Grift wrote:
>
> > >
> > > Having done all that (including moving mlogc back to /var/log/mlogc)
> > > these are the current AVCs (18 of them) since making the above
> changes:
> > >
> > > # ausearch -m AVC -ts recent | audit2allow -R
> > >
> > > require {
> > > type var_log_t;
> > > type httpd_log_t;
> > > type pcscd_t;
> > > type httpd_t;
> > > type mlogc_t;
> > > class capability dac_override;
> > > class unix_stream_socket connectto;
> > > class sem { read write unix_write };
> > > class file { write rename unlink };
> > > class dir create;
> > > }
> > >
> > > #============= httpd_t ==============
> > > allow httpd_t httpd_log_t:file write;
> > > allow httpd_t var_log_t:dir create;
> >
> > As for above. Make sure that file in question is labelled properly.
> Again httpd_t should not need to write to its log files. Neither should
> mod_security. I also have mod_security running on a server and it does
> not need to
> > write to log files (only append)
> >
> > So we may end up silencing that denial.
> >
> > As for httpd_t creating a dir in /var/log: I would like to see the
> denial. I was expecting mlogc to create
> > /var/log/mlogc.
>
>
> I think it's this one:
>
> node=troodos.org.uk type=AVC msg=audit(1270732811.767:47066): avc: denied { create } for pid=10875 comm="httpd" name="20100408" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:var_log_t:s0 tclass=dir
> node=troodos.org.uk type=SYSCALL msg=audit(1270732811.767:47066): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a70 a1=1e8 a2=84a1e4 a3=2 items=0 ppid=10852 pid=10875 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> But if that's related to a labelling issue I just done a restorecon
> on /var/log/ and I got a ton of these:
>
> # restorecon -Rv /var/log/
> restorecon reset /var/log/mlogc context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
> restorecon reset /var/log/mlogc/data context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
> restorecon reset /var/log/mlogc/data/20100321 context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
> ... Hundreds more
> restorecon reset /var/log/mlogc/data/20100326/20100326-1322 context unconfined_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
> restorecon reset /var/log/mlogc/mlogc-error.log context system_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
> restorecon reset /var/log/mlogc/mlogc-transaction.log context system_ubject_r:var_log_t:s0->system_ubject_r:mlogc_var_log_t:s0
> restorecon reset /var/log/fail2ban.log.1 context system_ubject_r:fail2ban_log_t:s0->system_ubject_r:var_log_t:s0
>
> When I switched back to /var/log/ I forgot to redo the restorecon.
> Sorry. Is that the reason?

May well be , yes .
see if you can reproduce.
also restorecon /etc/mlogc.conf

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 03:53 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Thu, 2010-04-08 at 17:24 +0200, Dominick Grift wrote:

> > When I switched back to /var/log/ I forgot to redo the restorecon.
> > Sorry. Is that the reason?
>
> May well be , yes .
> see if you can reproduce.
> also restorecon /etc/mlogc.conf

OK - With all that done, here are the latest AVCs:

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740296.844:47355): avc: denied { dac_override } for pid=10883 comm="mlogc" capability=1 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=capability
node=troodos.org.uk type=SYSCALL msg=audit(1270740296.844:47355): arch=40000003 syscall=5 success=yes exit=6 a0=b772f170 a1=82c1 a2=1b6 a3=856 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { unix_write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { read write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
node=troodos.org.uk type=SYSCALL msg=audit(1270740436.982:47360): arch=40000003 syscall=117 success=yes exit=0 a0=1 a1=698012 a2=1 a3=0 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { unix_write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { read write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
node=troodos.org.uk type=SYSCALL msg=audit(1270740436.982:47360): arch=40000003 syscall=117 success=yes exit=0 a0=1 a1=698012 a2=1 a3=0 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


# ausearch -m AVC -ts recent | audit2allow -R

require {
type mlogc_var_log_t;
type mlogc_t;
type httpd_t;
class capability dac_override;
class sem { read write unix_write };
class dir { write create add_name };
class file { write create };
}

#============= httpd_t ==============
allow httpd_t mlogc_var_log_t:dir { write create add_name };
allow httpd_t mlogc_var_log_t:file { write create };

#============= mlogc_t ==============
allow mlogc_t self:capability dac_override;
allow mlogc_t self:sem { read write unix_write };
[root@troodos mlogc]# restorecon /etc/mlogc.conf


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 04:10 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Thu, Apr 08, 2010 at 04:53:59PM +0100, Arthur Dent wrote:
> On Thu, 2010-04-08 at 17:24 +0200, Dominick Grift wrote:
>
> > > When I switched back to /var/log/ I forgot to redo the restorecon.
> > > Sorry. Is that the reason?
> >
> > May well be , yes .
> > see if you can reproduce.
> > also restorecon /etc/mlogc.conf
>
> OK - With all that done, here are the latest AVCs:
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740296.844:47355): avc: denied { dac_override } for pid=10883 comm="mlogc" capability=1 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=capability
> node=troodos.org.uk type=SYSCALL msg=audit(1270740296.844:47355): arch=40000003 syscall=5 success=yes exit=6 a0=b772f170 a1=82c1 a2=1b6 a3=856 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { unix_write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { read write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
> node=troodos.org.uk type=SYSCALL msg=audit(1270740436.982:47360): arch=40000003 syscall=117 success=yes exit=0 a0=1 a1=698012 a2=1 a3=0 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { unix_write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
> node=troodos.org.uk type=AVC msg=audit(1270740436.982:47360): avc: denied { read write } for pid=10883 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
> node=troodos.org.uk type=SYSCALL msg=audit(1270740436.982:47360): arch=40000003 syscall=117 success=yes exit=0 a0=1 a1=698012 a2=1 a3=0 items=0 ppid=10852 pid=10883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { write } for pid=10876 comm="httpd" name="20100408" dev=sda5 ino=492622 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.436:47371): avc: denied { create } for pid=10876 comm="httpd" name="20100408-1630" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.436:47371): arch=40000003 syscall=39 success=yes exit=0 a0=2d01a18 a1=1e8 a2=84a1e4 a3=2d019c0 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-1630" dev=sda5 ino=496009 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { add_name } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=dir
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { create } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270740627.461:47372): avc: denied { write } for pid=10876 comm="httpd" name="20100408-163027-S732jFIrkOUAACp8YkEAAAAB" dev=sda5 ino=496011 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:mlogc_var_log_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270740627.461:47372): arch=40000003 syscall=5 success=yes exit=19 a0=2d019c0 a1=8241 a2=1a0 a3=836 items=0 ppid=10852 pid=10876 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
> # ausearch -m AVC -ts recent | audit2allow -R
>
> require {
> type mlogc_var_log_t;
> type mlogc_t;
> type httpd_t;
> class capability dac_override;
> class sem { read write unix_write };
> class dir { write create add_name };
> class file { write create };
> }
>
> #============= httpd_t ==============
> allow httpd_t mlogc_var_log_t:dir { write create add_name };
> allow httpd_t mlogc_var_log_t:file { write create };

Alright lets try and wrap this up. So heat mod_security(httpd_t) wants to manage mlogc log files.
We (mlogc) should facilitate this interaction.

That means we should create an "mlogc_manage_log" interface in our mlogc.if file, and call that interface for httpd_t in our myapache.te file.

I am going to ignore the fact that it is writing to the logfile. This might be a bug in mod_security or mlogc but we'll just allow it.

Add this to mlogc.if:

########################################
## <summary>
## Manage mlogc log content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mlogc_manage_log',`
gen_require(`
type mlogc_var_log_t;
')

logging_search_logs($1)
manage_dirs_pattern($1, mlogc_var_log_t, mlogc_var_log_t)
manage_files_pattern($1, mlogc_var_log_t, mlogc_var_log_t)
read_lnk_files_pattern($1, mlogc_var_log_t, mlogc_var_log_t)
')

Next: in myapache.te call the interface for httpd_t:

mlogc_manage_log(httpd_t)

>
> #============= mlogc_t ==============
> allow mlogc_t self:capability dac_override;
> allow mlogc_t self:sem { read write unix_write };

Add the following to mlogc.te:

allow mlogc_t self:capability { sys_nice dac_override };
allow mlogc_t self:sem rw_sem_perms;

> [root@troodos mlogc]# restorecon /etc/mlogc.conf
>
>

We still havent figured out why it needs dac_override but oh well..
Also seems it does not want to list /tmp anymore?



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 05:15 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Thu, 2010-04-08 at 18:10 +0200, Dominick Grift wrote:

> Alright lets try and wrap this up.

[snipped lots of stuff to wrap things up]

Well Dominick, I triggered a Mod-Sec alert nearly 20 minutes ago and so
far (touching wood here) there are no reported AVCs!

Thank you so much for all the effort you put into this. I realise that
this in in addition to your daily workload so I am full of gratitude.

Feeling guilty that I have consumed so much of your time rather
selfishly, I was wondering if this work could be used by other than just
me?

Although the ModSecurity-Console is is not from a Fedora RPM, a large
part of what we (you) dealt with is the interaction between mod-security
and mlogc, which (in my case at least) were installed from Fedora RPMs.

I don't know if the package maintainer for that RPM is on this list, but
could this policy be applied to that package? Or could some of this find
its way into general SEL policy?

Anyhow...

I guess the only thing remaining (if it all stays quiet) is to remove
the "permissive mlogc_t;" directive from mlogc.te and put the system
back into Enforcing mode?

Thanks again?

I'm not even sure what time zone you're in, but if you're ever in London
I'll buy you a pint!

Cheers!

Mark


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 05:35 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Thu, Apr 08, 2010 at 06:15:37PM +0100, Arthur Dent wrote:
> On Thu, 2010-04-08 at 18:10 +0200, Dominick Grift wrote:
>
> > Alright lets try and wrap this up.
>
> [snipped lots of stuff to wrap things up]
>
> Well Dominick, I triggered a Mod-Sec alert nearly 20 minutes ago and so
> far (touching wood here) there are no reported AVCs!
>
> Thank you so much for all the effort you put into this. I realise that
> this in in addition to your daily workload so I am full of gratitude.
>
> Feeling guilty that I have consumed so much of your time rather
> selfishly, I was wondering if this work could be used by other than just
> me?
>
> Although the ModSecurity-Console is is not from a Fedora RPM, a large
> part of what we (you) dealt with is the interaction between mod-security
> and mlogc, which (in my case at least) were installed from Fedora RPMs.
>
> I don't know if the package maintainer for that RPM is on this list, but
> could this policy be applied to that package? Or could some of this find
> its way into general SEL policy?

I am not sure if submitting this upstream will result in adoption.

But this thread serves as an example for other to gain some insight in policy development fundamentals in the maillist archives. So other then that i was able to help you it was also worth my while from that point of view.

Besides i like doing this, and so i enjoyed it.

SELinux is a framework and policy is configuration data. Writing policy could be like maintaining an iptables configuration albeit a bit more complex.

So policy is often a matter of personal preference and often there is no one size fits all.

So i will leave the decision about whether or not to share the policy forward or submit it upstream to you.
>
> Anyhow...
>
> I guess the only thing remaining (if it all stays quiet) is to remove
> the "permissive mlogc_t;" directive from mlogc.te and put the system
> back into Enforcing mode?
>
> Thanks again?
>
> I'm not even sure what time zone you're in, but if you're ever in London
> I'll buy you a pint!

I am in Netherlands, but i will drink one on our success. Cheers!
>
> Cheers!
>
> Mark
>
>



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 06:30 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Thu, 2010-04-08 at 19:35 +0200, Dominick Grift wrote:
> On Thu, Apr 08, 2010 at 06:15:37PM +0100, Arthur Dent wrote:
> > On Thu, 2010-04-08 at 18:10 +0200, Dominick Grift wrote:
> >
> > > Alright lets try and wrap this up.
> >
> > [snipped lots of stuff to wrap things up]
> >
> > Well Dominick, I triggered a Mod-Sec alert nearly 20 minutes ago and so
> > far (touching wood here) there are no reported AVCs!
> >

Spoke too soon!...

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270750990.203:47741): avc: denied { signal } for pid=10852 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=process
node=troodos.org.uk type=SYSCALL msg=audit(1270750990.203:47741): arch=40000003 syscall=37 success=yes exit=0 a0=ffffd59c a1=f a2=9b6ff4 a3=1 items=0 ppid=1 pid=10852 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270750996.408:47742): avc: denied { destroy } for pid=10884 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
node=troodos.org.uk type=SYSCALL msg=audit(1270750996.408:47742): arch=40000003 syscall=117 success=yes exit=0 a0=3 a1=698012 a2=0 a3=100 items=0 ppid=10852 pid=10884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270751004.197:47743): avc: denied { read write } for pid=14112 comm="mlogc" name="1" dev=devpts ino=4 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
node=troodos.org.uk type=SYSCALL msg=audit(1270751004.197:47743): arch=40000003 syscall=11 success=yes exit=0 a0=9dd3288 a1=9dd32b8 a2=9dd2900 a3=9dd32b8 items=0 ppid=14111 pid=14112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270751009.399:47744): avc: denied { create } for pid=14112 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
node=troodos.org.uk type=SYSCALL msg=audit(1270751009.399:47744): arch=40000003 syscall=117 success=yes exit=7143448 a0=2 a1=0 a2=1 a3=380 items=0 ppid=1 pid=14112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-08-2010, 07:28 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Thu, Apr 08, 2010 at 07:30:04PM +0100, Arthur Dent wrote:
> On Thu, 2010-04-08 at 19:35 +0200, Dominick Grift wrote:
> > On Thu, Apr 08, 2010 at 06:15:37PM +0100, Arthur Dent wrote:
> > > On Thu, 2010-04-08 at 18:10 +0200, Dominick Grift wrote:
> > >
> > > > Alright lets try and wrap this up.
> > >
> > > [snipped lots of stuff to wrap things up]
> > >
> > > Well Dominick, I triggered a Mod-Sec alert nearly 20 minutes ago and so
> > > far (touching wood here) there are no reported AVCs!
> > >
>
> Spoke too soon!...
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270750990.203:47741): avc: denied { signal } for pid=10852 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=process
> node=troodos.org.uk type=SYSCALL msg=audit(1270750990.203:47741): arch=40000003 syscall=37 success=yes exit=0 a0=ffffd59c a1=f a2=9b6ff4 a3=1 items=0 ppid=1 pid=10852 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

in mlogc.if:

#######################################
## <summary>
## Send a generic signal to MLOGC.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mlogc_signal',`
gen_require(`
type mlogc_t;
')

allow $1 mlogc_trocess signal;
')

in myapache.te:

mlogc_signal(httpd_t)

>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270750996.408:47742): avc: denied { destroy } for pid=10884 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
> node=troodos.org.uk type=SYSCALL msg=audit(1270750996.408:47742): arch=40000003 syscall=117 success=yes exit=0 a0=3 a1=698012 a2=0 a3=100 items=0 ppid=10852 pid=10884 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

mlogc.te:

instead of rw_sem_perms use create_sem_perms.

>
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270751004.197:47743): avc: denied { read write } for pid=14112 comm="mlogc" name="1" dev=devpts ino=4 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_ubject_r:user_devpts_t:s0 tclass=chr_file
> node=troodos.org.uk type=SYSCALL msg=audit(1270751004.197:47743): arch=40000003 syscall=11 success=yes exit=0 a0=9dd3288 a1=9dd32b8 a2=9dd2900 a3=9dd32b8 items=0 ppid=14111 pid=14112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

mlogc.te:

userdom_use_user_terminals(mlogc_t)

>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270751009.399:47744): avc: denied { create } for pid=14112 comm="mlogc" key=0 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=sem
> node=troodos.org.uk type=SYSCALL msg=audit(1270751009.399:47744): arch=40000003 syscall=117 success=yes exit=7143448 a0=2 a1=0 a2=1 a3=380 items=0 ppid=1 pid=14112 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
>
>

mlogc.te:

instead of rw_sem_perms use create_sem_perms.


> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2010, 07:13 AM
Arthur Dent
 
Default Mod-security (mlogc) problem

Hi Dominick,

Still not quite there yet...

(Apologies if there are duplicates here):

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270762877.688:48174): avc: denied { signal } for pid=14587 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=process
node=troodos.org.uk type=SYSCALL msg=audit(1270762877.688:48174): arch=40000003 syscall=37 success=yes exit=0 a0=ffffc705 a1=f a2=2b9ff4 a3=1 items=0 ppid=1 pid=14587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270762931.148:48179): avc: denied { getattr } for pid=15736 comm="mlogc" path="/etc/passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270762931.148:48179): arch=40000003 syscall=195 success=yes exit=0 a0=8c43fe a1=b64133dc a2=d1eff4 a3=3 items=0 ppid=15707 pid=15736 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270762931.150:48180): avc: denied { read } for pid=15736 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270762931.150:48180): avc: denied { open } for pid=15736 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270762931.150:48180): arch=40000003 syscall=5 success=yes exit=8 a0=8c43fe a1=0 a2=1b6 a3=8d15aa items=0 ppid=15707 pid=15736 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270762931.150:48180): avc: denied { read } for pid=15736 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270762931.150:48180): avc: denied { open } for pid=15736 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270762931.150:48180): arch=40000003 syscall=5 success=yes exit=8 a0=8c43fe a1=0 a2=1b6 a3=8d15aa items=0 ppid=15707 pid=15736 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270762931.153:48181): avc: denied { read } for pid=15736 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270762931.153:48181): avc: denied { open } for pid=15736 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270762931.153:48181): arch=40000003 syscall=5 success=yes exit=8 a0=8c4437 a1=0 a2=1b6 a3=8d15aa items=0 ppid=15707 pid=15736 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270762931.153:48181): avc: denied { read } for pid=15736 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270762931.153:48181): avc: denied { open } for pid=15736 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270762931.153:48181): arch=40000003 syscall=5 success=yes exit=8 a0=8c4437 a1=0 a2=1b6 a3=8d15aa items=0 ppid=15707 pid=15736 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270763183.873:48186): avc: denied { signal } for pid=15707 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=process
node=troodos.org.uk type=SYSCALL msg=audit(1270763183.873:48186): arch=40000003 syscall=37 success=yes exit=0 a0=ffffc2a5 a1=f a2=7ddff4 a3=1 items=0 ppid=1 pid=15707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270763457.339:48197): avc: denied { signal } for pid=15806 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=process
node=troodos.org.uk type=SYSCALL msg=audit(1270763457.339:48197): arch=40000003 syscall=37 success=yes exit=0 a0=ffffc242 a1=f a2=5bdff4 a3=1 items=0 ppid=1 pid=15806 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270763495.89:48202): avc: denied { getattr } for pid=15903 comm="mlogc" path="/etc/passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270763495.89:48202): arch=40000003 syscall=195 success=yes exit=0 a0=aee3fe a1=b63bb3dc a2=27bff4 a3=3 items=0 ppid=15881 pid=15903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270763495.104:48203): avc: denied { read } for pid=15903 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270763495.104:48203): avc: denied { open } for pid=15903 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270763495.104:48203): arch=40000003 syscall=5 success=yes exit=8 a0=aee3fe a1=0 a2=1b6 a3=afb5aa items=0 ppid=15881 pid=15903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270763495.104:48203): avc: denied { read } for pid=15903 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270763495.104:48203): avc: denied { open } for pid=15903 comm="mlogc" name="passwd" dev=sda5 ino=1233517 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:etc_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270763495.104:48203): arch=40000003 syscall=5 success=yes exit=8 a0=aee3fe a1=0 a2=1b6 a3=afb5aa items=0 ppid=15881 pid=15903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270763495.107:48204): avc: denied { read } for pid=15903 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270763495.107:48204): avc: denied { open } for pid=15903 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270763495.107:48204): arch=40000003 syscall=5 success=yes exit=8 a0=aee437 a1=0 a2=1b6 a3=afb5aa items=0 ppid=15881 pid=15903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270763495.107:48204): avc: denied { read } for pid=15903 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270763495.107:48204): avc: denied { open } for pid=15903 comm="mlogc" name="tmp" dev=sda5 ino=820801 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:tmp_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270763495.107:48204): arch=40000003 syscall=5 success=yes exit=8 a0=aee437 a1=0 a2=1b6 a3=afb5aa items=0 ppid=15881 pid=15903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270780538.4:48826): avc: denied { signal } for pid=24426 comm="httpd" scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mlogc_t:s0-s0:c0.c1023 tclass=process
node=troodos.org.uk type=SYSCALL msg=audit(1270780538.4:48826): arch=40000003 syscall=37 success=yes exit=0 a0=5f6c a1=f a2=3851e4 a3=13ea018 items=0 ppid=24425 pid=24426 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3072 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0-s0:c0.c1023 key=(null)

# cat avcs | audit2allow -R

require {
type httpd_t;
type mlogc_t;
class process signal;
}

#============= httpd_t ==============
allow httpd_t mlogc_trocess signal;

#============= mlogc_t ==============
files_list_tmp(mlogc_t)
files_rw_etc_files(mlogc_t)


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org