FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-07-2010, 02:23 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

Hello all,

I believe in a multi-layered approach towards security, so as well as
SELinux I use Mod-Security to protect the web server on my F11 machine.

Recently I started using the ModSecurity Community Console to analyse
the mod-security denials. This requires using the mlogc logging
application that comes bundled with the mod_security-2.5.12-1.fc11.i586
package.

Now every time a mod-security denial is triggered I get 3 SEL AVCs
(currently in permissive mode while I sort this out). They say:

SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
If you want to change the file context of /var/run/pcscd.pid so that the
httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t '/var/run/pcscd.pid'.

A similar one for /var/run/pcsd.pub

and then one for:
SELinux is preventing the mlogc from using potentially mislabeled files
636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t).

(Actual AVCs below)

If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
recommended by sealert I only get the one with the strange filename each
time I get a mod-sec alert. However, now of course I get this:

SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
(and another one for .pid)

So I need to put the file context back to what it was using
restorecon....

Audit2allow suggests this:

require {
type auth_cache_t;
type httpd_t;
type pcscd_var_run_t;
class file { read write getattr open };
}

#============= httpd_t ==============
allow httpd_t auth_cache_t:file { read write };
allow httpd_t pcscd_var_run_t:file { read getattr open };

What do you think is the best solution to this problem?

Thanks in advance for any help or suggestions...

Mark

AVCs
====

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { read } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { open } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270480904.700:37928): arch=40000003 syscall=5 success=yes exit=10 a0=d348ea a1=0 a2=1b6 a3=d348e8 items=0 ppid=9643 pid=9674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270488357.977:38184): avc: denied { getattr } for pid=10531 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270488357.977:38184): arch=40000003 syscall=195 success=yes exit=0 a0=d345ab a1=b64279ac a2=d1eff4 a3=3 items=0 ppid=9643 pid=10531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270488685.640:38200): avc: denied { read write } for pid=10661 comm="mlogc" name=636F6F6C6B6579706B313173452D47617465203020302 D30 dev=sda5 ino=372384 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:auth_cache_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270488685.640:38200): arch=40000003 syscall=5 success=yes exit=12 a0=b5830dc0 a1=20002 a2=180 a3=b5830da8 items=0 ppid=10644 pid=10661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 03:31 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> Hello all,
>
> I believe in a multi-layered approach towards security, so as well as
> SELinux I use Mod-Security to protect the web server on my F11 machine.
>
> Recently I started using the ModSecurity Community Console to analyse
> the mod-security denials. This requires using the mlogc logging
> application that comes bundled with the mod_security-2.5.12-1.fc11.i586
> package.
>
> Now every time a mod-security denial is triggered I get 3 SEL AVCs
> (currently in permissive mode while I sort this out). They say:
>
> SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> If you want to change the file context of /var/run/pcscd.pid so that the
> httpd daemon can access it, you need to execute it using chcon -t
> httpd_sys_content_t '/var/run/pcscd.pid'.
>
> A similar one for /var/run/pcsd.pub
>
> and then one for:
> SELinux is preventing the mlogc from using potentially mislabeled files
> 636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t).
>
> (Actual AVCs below)
>
> If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
> recommended by sealert I only get the one with the strange filename each
> time I get a mod-sec alert. However, now of course I get this:
>
> SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
> (and another one for .pid)
>
> So I need to put the file context back to what it was using
> restorecon....
>
> Audit2allow suggests this:
>
> require {
> type auth_cache_t;
> type httpd_t;
> type pcscd_var_run_t;
> class file { read write getattr open };
> }
>
> #============= httpd_t ==============
> allow httpd_t auth_cache_t:file { read write };
> allow httpd_t pcscd_var_run_t:file { read getattr open };
>
> What do you think is the best solution to this problem?

Does it work when you allow those access vectors? Eitherway i would set up
a domain transition from apache to a new clogd domain and allow this clogd domain the access it requires.
I prefer this over extending the httpd_t domain to allow this access.

>
> Thanks in advance for any help or suggestions...
>
> Mark
>
> AVCs
> ====
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { read } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { open } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270480904.700:37928): arch=40000003 syscall=5 success=yes exit=10 a0=d348ea a1=0 a2=1b6 a3=d348e8 items=0 ppid=9643 pid=9674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270488357.977:38184): avc: denied { getattr } for pid=10531 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270488357.977:38184): arch=40000003 syscall=195 success=yes exit=0 a0=d345ab a1=b64279ac a2=d1eff4 a3=3 items=0 ppid=9643 pid=10531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270488685.640:38200): avc: denied { read write } for pid=10661 comm="mlogc" name=636F6F6C6B6579706B313173452D47617465203020302 D30 dev=sda5 ino=372384 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:auth_cache_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270488685.640:38200): arch=40000003 syscall=5 success=yes exit=12 a0=b5830dc0 a1=20002 a2=180 a3=b5830da8 items=0 ppid=10644 pid=10661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 04:45 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> Hello all,
>
> I believe in a multi-layered approach towards security, so as well as
> SELinux I use Mod-Security to protect the web server on my F11 machine.
>
> Recently I started using the ModSecurity Community Console to analyse
> the mod-security denials. This requires using the mlogc logging
> application that comes bundled with the mod_security-2.5.12-1.fc11.i586
> package.
>
> Now every time a mod-security denial is triggered I get 3 SEL AVCs
> (currently in permissive mode while I sort this out). They say:
>
> SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> If you want to change the file context of /var/run/pcscd.pid so that the
> httpd daemon can access it, you need to execute it using chcon -t
> httpd_sys_content_t '/var/run/pcscd.pid'.
>
> A similar one for /var/run/pcsd.pub
>
> and then one for:
> SELinux is preventing the mlogc from using potentially mislabeled files
> 636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t).
>
> (Actual AVCs below)
>
> If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
> recommended by sealert I only get the one with the strange filename each
> time I get a mod-sec alert. However, now of course I get this:
>
> SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
> (and another one for .pid)
>
> So I need to put the file context back to what it was using
> restorecon....
>
> Audit2allow suggests this:
>
> require {
> type auth_cache_t;
> type httpd_t;
> type pcscd_var_run_t;
> class file { read write getattr open };
> }
>
> #============= httpd_t ==============
> allow httpd_t auth_cache_t:file { read write };
> allow httpd_t pcscd_var_run_t:file { read getattr open };
>
> What do you think is the best solution to this problem?
>
> Thanks in advance for any help or suggestions...

To create a new policy module for mlogc:

Create a work directory (~/mywork) and go there to do your work: cd ~/mywork
touch 3 files that will be our mlogc source policy module (touch mlogc.te mlogc.if mlogc.fc)
The .te file is for policy local to mlogc, the .if file has policy that other parties can call when they want to interact with mlogc, and the .fc file has file context specifications for mlogc.

So lets start why declaring some types for mlogc, make those types usable and specify and file contexts that we know are required.

Declare a new policy module in mlogc.te:

policy_module(mlogc, 1.0.0)

New we need to declare a type for the mlogc process and a type for the mlogc executable file. We make those types a usable application domain by calling the application_domain interface in mlogc.te:

type mlogc_t;
type mlogc_exec_t;
application_domain(mlogc_t, mlogc_exec_t)

Now lets specify the file context for the mlogc executable file in mlogc.fc:

/usr/bin/mlogc -- gen_context(system_ubject_r:mlogc_exec_t, s0)

Next we should define some policy that facilitates interaction with mlogc for other domains. httpd_t executes the mlogc executable file and we could facilitate policy that allows in this case apache to domain transition to our mlogc_t domain. We do this in the mlogc.if.

We call these shared policy blocks interfaces and they are heavily commented. These comments can be parsed. for example: make html. The comments describe the functionality of the policy, and how it should be called.

First we add a description to the mlogc.if file:

## <summary>The ModSecurity Log Collector</summary>

Next we add the shared policy that can be called if other domain want to domain transition to mlogc_t in mlogc.if:

########################################
## <summary>
## Execute MLOGC in the MLOGC domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mlogc_domtrans',`
gen_require(`
type mlogc_t, mlogc_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, mlogc_exec_t, mlogc_t)
')

Now we have a solid foundation for our new mlogc policy.

Now httpd_t should call the mlogc_domtrans interface so that it can domain transition when it runs mlogc.
Since we are not working in the main policy package we should create a patch (custom module the extends the apache module) so that we can call this interface for httpd_t.

touch a file myapache.te and add the following:

policy_module(myapache, 1.0.0)
optional_policy(`
gen_require(`
type httpd_t;
')

mlogc_domtrans(httpd_t)
')

The optional_policy tag makes it so that this module does not depend on either the apache module and our mlogc module. The gen_require tag borrows a type that we use and that is not local to our module. The httpd_t type is not delcared in our myapache.te file. We borrow it from the existing apache module.

Now we have two source policy modules: mlogc and myapache.

There are a couple more things we need to take care of. In mlogc.te we should append the following:

role system_r types mlogc_t;

Apache is a system service. System services use the system_r role. Roles are used for RBAC or role based access control. Without going into details we just allowed the system_r role to be used with the mlogc_t domain.

Since our policy module does not actually have much policy yet it must be tested first. We can make our new clogd_t domain permissive (exempted from SELinux enforcement but SELinux will still log any access mlogc_t requires and that is currently not allowed) in mlogc.te append the following:

permissive mlogc_t;

We must remove this line once we are done testing and refining our module.

Now we can try to build binary representations of our two new modules by running the following command:

make -f /usr/share/selinux/devel/Makefile

if all goes well , then two files with the .pp extension are created: myapache.pp and mlogc.pp

We should now load these two binary policies with the following command:

sudo semodule -i *.pp

Next we must run the restorecon command on /usr/bin/mlogc. So that our new file context specification for this location can we applied. We can use the -v option to make it verbose.

sudo restorecon -v /usr/bin/mlogc

Now when you list its attirbutes (ls -alZ /usr/bin/mlogc) you should see our type mlogc_exec_t.

Time for testing. httpd_t should be allowed to run mlogc in the mlogc_t domain and currently mlogc_t is a permissive domain, thus mlogc_t should be able to have any access wrt to SELinux. Any "would be denials" are logged to /var/log/audit/audit.log. We can use these denials to extend our mlogc_t domain.

So test the app a couple times and collect AVC denials. If you run the AVC denials through audit2allow with the -R option , then audit2allow with try to find suitable interfaces to call where applicable. If you use audit2allow without the -R option , then audit2allow will only translate AVC denials into human readible policy.

Proper policy requires that you only use interface calls in your policy except when the target in an particular interaction is local to the module (if the target type is declared in the module)

But this goes beyond the scope of this explanation. You can just paste the output of audit2allow -R into the mlogc.te file and rebuild the source, then reinstall the module(s)

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i *.pp

After a few runs when no more AVC denials appear in audit.log for mlogc_t, then you can remove the permissive declaration from the mlogc.te file (permissive mlogc_t

Then rebuild and reinstall the module.

By now mlogc should be confined and working.


Disclaimer: I might have missed some important parts. I might have made mistakes. Try at your own risk
To undo the policy modules:

sudo semodule -r mlocg myapache
restorecon -v /usr/bin/mlogc

hth

>
> Mark
>
> AVCs
> ====
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { read } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270480904.700:37928): avc: denied { open } for pid=9674 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270480904.700:37928): arch=40000003 syscall=5 success=yes exit=10 a0=d348ea a1=0 a2=1b6 a3=d348e8 items=0 ppid=9643 pid=9674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270488357.977:38184): avc: denied { getattr } for pid=10531 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270488357.977:38184): arch=40000003 syscall=195 success=yes exit=0 a0=d345ab a1=b64279ac a2=d1eff4 a3=3 items=0 ppid=9643 pid=10531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270488685.640:38200): avc: denied { read write } for pid=10661 comm="mlogc" name=636F6F6C6B6579706B313173452D47617465203020302 D30 dev=sda5 ino=372384 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_r:auth_cache_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270488685.640:38200): arch=40000003 syscall=5 success=yes exit=12 a0=b5830dc0 a1=20002 a2=180 a3=b5830da8 items=0 ppid=10644 pid=10661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 07:02 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > Hello all,
> >
> > I believe in a multi-layered approach towards security, so as well as
> > SELinux I use Mod-Security to protect the web server on my F11 machine.
> >
> > Recently I started using the ModSecurity Community Console to analyse
> > the mod-security denials. This requires using the mlogc logging
> > application that comes bundled with the mod_security-2.5.12-1.fc11.i586
> > package.
> >
> > Now every time a mod-security denial is triggered I get 3 SEL AVCs
> > (currently in permissive mode while I sort this out). They say:
> >
> > SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> > If you want to change the file context of /var/run/pcscd.pid so that the
> > httpd daemon can access it, you need to execute it using chcon -t
> > httpd_sys_content_t '/var/run/pcscd.pid'.
> >
> > A similar one for /var/run/pcsd.pub
> >
> > and then one for:
> > SELinux is preventing the mlogc from using potentially mislabeled files
> > 636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t).
> >
> > (Actual AVCs below)
> >
> > If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
> > recommended by sealert I only get the one with the strange filename each
> > time I get a mod-sec alert. However, now of course I get this:
> >
> > SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
> > (and another one for .pid)
> >
> > So I need to put the file context back to what it was using
> > restorecon....
> >
> > Audit2allow suggests this:
> >
> > require {
> > type auth_cache_t;
> > type httpd_t;
> > type pcscd_var_run_t;
> > class file { read write getattr open };
> > }
> >
> > #============= httpd_t ==============
> > allow httpd_t auth_cache_t:file { read write };
> > allow httpd_t pcscd_var_run_t:file { read getattr open };
> >
> > What do you think is the best solution to this problem?
> >
> > Thanks in advance for any help or suggestions...
>
> To create a new policy module for mlogc:
>
> Create a work directory (~/mywork) and go there to do your work: cd ~/mywork
> touch 3 files that will be our mlogc source policy module (touch mlogc.te mlogc.if mlogc.fc)
> The .te file is for policy local to mlogc, the .if file has policy that other parties can call when they want to interact with mlogc, and the .fc file has file context specifications for mlogc.
>
> So lets start why declaring some types for mlogc, make those types usable and specify and file contexts that we know are required.
>
> Declare a new policy module in mlogc.te:
>
> policy_module(mlogc, 1.0.0)
>
> New we need to declare a type for the mlogc process and a type for the mlogc executable file. We make those types a usable application domain by calling the application_domain interface in mlogc.te:
>
> type mlogc_t;
> type mlogc_exec_t;
> application_domain(mlogc_t, mlogc_exec_t)
>
> Now lets specify the file context for the mlogc executable file in mlogc.fc:
>
> /usr/bin/mlogc -- gen_context(system_ubject_r:mlogc_exec_t, s0)
>
> Next we should define some policy that facilitates interaction with mlogc for other domains. httpd_t executes the mlogc executable file and we could facilitate policy that allows in this case apache to domain transition to our mlogc_t domain. We do this in the mlogc.if.
>
> We call these shared policy blocks interfaces and they are heavily commented. These comments can be parsed. for example: make html. The comments describe the functionality of the policy, and how it should be called.
>
> First we add a description to the mlogc.if file:
>
> ## <summary>The ModSecurity Log Collector</summary>
>
> Next we add the shared policy that can be called if other domain want to domain transition to mlogc_t in mlogc.if:
>
> ########################################
> ## <summary>
> ## Execute MLOGC in the MLOGC domain.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`mlogc_domtrans',`
> gen_require(`
> type mlogc_t, mlogc_exec_t;
> ')
>
> corecmd_search_bin($1)
> domtrans_pattern($1, mlogc_exec_t, mlogc_t)
> ')
>
> Now we have a solid foundation for our new mlogc policy.
>
> Now httpd_t should call the mlogc_domtrans interface so that it can domain transition when it runs mlogc.
> Since we are not working in the main policy package we should create a patch (custom module the extends the apache module) so that we can call this interface for httpd_t.
>
> touch a file myapache.te and add the following:
>
> policy_module(myapache, 1.0.0)
> optional_policy(`
> gen_require(`
> type httpd_t;
> ')
>
> mlogc_domtrans(httpd_t)
> ')
>
> The optional_policy tag makes it so that this module does not depend on either the apache module and our mlogc module. The gen_require tag borrows a type that we use and that is not local to our module. The httpd_t type is not delcared in our myapache.te file. We borrow it from the existing apache module.
>
> Now we have two source policy modules: mlogc and myapache.
>
> There are a couple more things we need to take care of. In mlogc.te we should append the following:
>
> role system_r types mlogc_t;
>
> Apache is a system service. System services use the system_r role. Roles are used for RBAC or role based access control. Without going into details we just allowed the system_r role to be used with the mlogc_t domain.
>
> Since our policy module does not actually have much policy yet it must be tested first. We can make our new clogd_t domain permissive (exempted from SELinux enforcement but SELinux will still log any access mlogc_t requires and that is currently not allowed) in mlogc.te append the following:
>
> permissive mlogc_t;
>
> We must remove this line once we are done testing and refining our module.
>
> Now we can try to build binary representations of our two new modules by running the following command:
>
> make -f /usr/share/selinux/devel/Makefile
>
> if all goes well , then two files with the .pp extension are created: myapache.pp and mlogc.pp
>
> We should now load these two binary policies with the following command:
>
> sudo semodule -i *.pp
>
> Next we must run the restorecon command on /usr/bin/mlogc. So that our new file context specification for this location can we applied. We can use the -v option to make it verbose.
>
> sudo restorecon -v /usr/bin/mlogc
>
> Now when you list its attirbutes (ls -alZ /usr/bin/mlogc) you should see our type mlogc_exec_t.
>
> Time for testing. httpd_t should be allowed to run mlogc in the mlogc_t domain and currently mlogc_t is a permissive domain, thus mlogc_t should be able to have any access wrt to SELinux. Any "would be denials" are logged to /var/log/audit/audit.log. We can use these denials to extend our mlogc_t domain.
>
> So test the app a couple times and collect AVC denials. If you run the AVC denials through audit2allow with the -R option , then audit2allow with try to find suitable interfaces to call where applicable. If you use audit2allow without the -R option , then audit2allow will only translate AVC denials into human readible policy.
>
> Proper policy requires that you only use interface calls in your policy except when the target in an particular interaction is local to the module (if the target type is declared in the module)
>
> But this goes beyond the scope of this explanation. You can just paste the output of audit2allow -R into the mlogc.te file and rebuild the source, then reinstall the module(s)
>
> make -f /usr/share/selinux/devel/Makefile
> sudo semodule -i *.pp
>
> After a few runs when no more AVC denials appear in audit.log for mlogc_t, then you can remove the permissive declaration from the mlogc.te file (permissive mlogc_t
>
> Then rebuild and reinstall the module.
>
> By now mlogc should be confined and working.
>
>
> Disclaimer: I might have missed some important parts. I might have made mistakes. Try at your own risk
> To undo the policy modules:
>
> sudo semodule -r mlocg myapache
> restorecon -v /usr/bin/mlogc
>
> hth

WOW! That is so helpful - Thank you! After your first message I was just
googling to try to find out how to create a domain transition - just
about to give up and ask when this post came in... Thanks for going to
so much trouble.

I followed your instructions exactly and everything seemed to work as
intended.

I have to say however that on testing I get 3 AVCs (see below), just as
before!...

Have I missed something or misunderstood something?

Based on these 3 AVCs audit2allow -R produces the following:

######################################
require {
type httpd_t;
}

#============= httpd_t ==============
pcscd_read_pub_files(httpd_t)

######################################

Is that what you would expect?


Thanks again for your help...

Mark


Most recent AVCs
================

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270666306.338:44518): avc: denied { getattr } for pid=32012 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270666306.338:44518): arch=40000003 syscall=195 success=yes exit=0 a0=1fc5ab a1=b643f9ac a2=d1eff4 a3=3 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { read } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { open } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270666306.342:44519): arch=40000003 syscall=5 success=yes exit=13 a0=1fc8ea a1=0 a2=1b6 a3=1fc8e8 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { read } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { open } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270666306.342:44519): arch=40000003 syscall=5 success=yes exit=13 a0=1fc8ea a1=0 a2=1b6 a3=1fc8e8 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 08:26 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > Hello all,
> > >
> > > I believe in a multi-layered approach towards security, so as well as
> > > SELinux I use Mod-Security to protect the web server on my F11 machine.
> > >
> > > Recently I started using the ModSecurity Community Console to analyse
> > > the mod-security denials. This requires using the mlogc logging
> > > application that comes bundled with the mod_security-2.5.12-1.fc11.i586
> > > package.
> > >
> > > Now every time a mod-security denial is triggered I get 3 SEL AVCs
> > > (currently in permissive mode while I sort this out). They say:
> > >
> > > SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> > > If you want to change the file context of /var/run/pcscd.pid so that the
> > > httpd daemon can access it, you need to execute it using chcon -t
> > > httpd_sys_content_t '/var/run/pcscd.pid'.
> > >
> > > A similar one for /var/run/pcsd.pub
> > >
> > > and then one for:
> > > SELinux is preventing the mlogc from using potentially mislabeled files
> > > 636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t).
> > >
> > > (Actual AVCs below)
> > >
> > > If I try doing the chcon -t httpd_sys_content_t '/var/run/pcscd.xxx' as
> > > recommended by sealert I only get the one with the strange filename each
> > > time I get a mod-sec alert. However, now of course I get this:
> > >
> > > SELinux denied access requested by certwatch. /var/run/pcscd.pub may be a mislabeled. /var/run/pcscd.pub default SELinux type is pcscd_var_run_t, but its current type is httpd_sys_content_t. Changing this file back to the default type, may fix your problem.
> > > (and another one for .pid)
> > >
> > > So I need to put the file context back to what it was using
> > > restorecon....
> > >
> > > Audit2allow suggests this:
> > >
> > > require {
> > > type auth_cache_t;
> > > type httpd_t;
> > > type pcscd_var_run_t;
> > > class file { read write getattr open };
> > > }
> > >
> > > #============= httpd_t ==============
> > > allow httpd_t auth_cache_t:file { read write };
> > > allow httpd_t pcscd_var_run_t:file { read getattr open };
> > >
> > > What do you think is the best solution to this problem?
> > >
> > > Thanks in advance for any help or suggestions...
> >
> > To create a new policy module for mlogc:
> >
> > Create a work directory (~/mywork) and go there to do your work: cd ~/mywork
> > touch 3 files that will be our mlogc source policy module (touch mlogc.te mlogc.if mlogc.fc)
> > The .te file is for policy local to mlogc, the .if file has policy that other parties can call when they want to interact with mlogc, and the .fc file has file context specifications for mlogc.
> >
> > So lets start why declaring some types for mlogc, make those types usable and specify and file contexts that we know are required.
> >
> > Declare a new policy module in mlogc.te:
> >
> > policy_module(mlogc, 1.0.0)
> >
> > New we need to declare a type for the mlogc process and a type for the mlogc executable file. We make those types a usable application domain by calling the application_domain interface in mlogc.te:
> >
> > type mlogc_t;
> > type mlogc_exec_t;
> > application_domain(mlogc_t, mlogc_exec_t)
> >
> > Now lets specify the file context for the mlogc executable file in mlogc.fc:
> >
> > /usr/bin/mlogc -- gen_context(system_ubject_r:mlogc_exec_t, s0)
> >
> > Next we should define some policy that facilitates interaction with mlogc for other domains. httpd_t executes the mlogc executable file and we could facilitate policy that allows in this case apache to domain transition to our mlogc_t domain. We do this in the mlogc.if.
> >
> > We call these shared policy blocks interfaces and they are heavily commented. These comments can be parsed. for example: make html. The comments describe the functionality of the policy, and how it should be called.
> >
> > First we add a description to the mlogc.if file:
> >
> > ## <summary>The ModSecurity Log Collector</summary>
> >
> > Next we add the shared policy that can be called if other domain want to domain transition to mlogc_t in mlogc.if:
> >
> > ########################################
> > ## <summary>
> > ## Execute MLOGC in the MLOGC domain.
> > ## </summary>
> > ## <param name="domain">
> > ## <summary>
> > ## Domain allowed access.
> > ## </summary>
> > ## </param>
> > #
> > interface(`mlogc_domtrans',`
> > gen_require(`
> > type mlogc_t, mlogc_exec_t;
> > ')
> >
> > corecmd_search_bin($1)
> > domtrans_pattern($1, mlogc_exec_t, mlogc_t)
> > ')
> >
> > Now we have a solid foundation for our new mlogc policy.
> >
> > Now httpd_t should call the mlogc_domtrans interface so that it can domain transition when it runs mlogc.
> > Since we are not working in the main policy package we should create a patch (custom module the extends the apache module) so that we can call this interface for httpd_t.
> >
> > touch a file myapache.te and add the following:
> >
> > policy_module(myapache, 1.0.0)
> > optional_policy(`
> > gen_require(`
> > type httpd_t;
> > ')
> >
> > mlogc_domtrans(httpd_t)
> > ')
> >
> > The optional_policy tag makes it so that this module does not depend on either the apache module and our mlogc module. The gen_require tag borrows a type that we use and that is not local to our module. The httpd_t type is not delcared in our myapache.te file. We borrow it from the existing apache module.
> >
> > Now we have two source policy modules: mlogc and myapache.
> >
> > There are a couple more things we need to take care of. In mlogc.te we should append the following:
> >
> > role system_r types mlogc_t;
> >
> > Apache is a system service. System services use the system_r role. Roles are used for RBAC or role based access control. Without going into details we just allowed the system_r role to be used with the mlogc_t domain.
> >
> > Since our policy module does not actually have much policy yet it must be tested first. We can make our new clogd_t domain permissive (exempted from SELinux enforcement but SELinux will still log any access mlogc_t requires and that is currently not allowed) in mlogc.te append the following:
> >
> > permissive mlogc_t;
> >
> > We must remove this line once we are done testing and refining our module.
> >
> > Now we can try to build binary representations of our two new modules by running the following command:
> >
> > make -f /usr/share/selinux/devel/Makefile
> >
> > if all goes well , then two files with the .pp extension are created: myapache.pp and mlogc.pp
> >
> > We should now load these two binary policies with the following command:
> >
> > sudo semodule -i *.pp
> >
> > Next we must run the restorecon command on /usr/bin/mlogc. So that our new file context specification for this location can we applied. We can use the -v option to make it verbose.
> >
> > sudo restorecon -v /usr/bin/mlogc
> >
> > Now when you list its attirbutes (ls -alZ /usr/bin/mlogc) you should see our type mlogc_exec_t.
> >
> > Time for testing. httpd_t should be allowed to run mlogc in the mlogc_t domain and currently mlogc_t is a permissive domain, thus mlogc_t should be able to have any access wrt to SELinux. Any "would be denials" are logged to /var/log/audit/audit.log. We can use these denials to extend our mlogc_t domain.
> >
> > So test the app a couple times and collect AVC denials. If you run the AVC denials through audit2allow with the -R option , then audit2allow with try to find suitable interfaces to call where applicable. If you use audit2allow without the -R option , then audit2allow will only translate AVC denials into human readible policy.
> >
> > Proper policy requires that you only use interface calls in your policy except when the target in an particular interaction is local to the module (if the target type is declared in the module)
> >
> > But this goes beyond the scope of this explanation. You can just paste the output of audit2allow -R into the mlogc.te file and rebuild the source, then reinstall the module(s)
> >
> > make -f /usr/share/selinux/devel/Makefile
> > sudo semodule -i *.pp
> >
> > After a few runs when no more AVC denials appear in audit.log for mlogc_t, then you can remove the permissive declaration from the mlogc.te file (permissive mlogc_t
> >
> > Then rebuild and reinstall the module.
> >
> > By now mlogc should be confined and working.
> >
> >
> > Disclaimer: I might have missed some important parts. I might have made mistakes. Try at your own risk
> > To undo the policy modules:
> >
> > sudo semodule -r mlocg myapache
> > restorecon -v /usr/bin/mlogc
> >
> > hth
>
> WOW! That is so helpful - Thank you! After your first message I was just
> googling to try to find out how to create a domain transition - just
> about to give up and ask when this post came in... Thanks for going to
> so much trouble.
>
> I followed your instructions exactly and everything seemed to work as
> intended.
>
> I have to say however that on testing I get 3 AVCs (see below), just as
> before!...
>
> Have I missed something or misunderstood something?

Yes it seems that the domain transition did not happen. are the modules installed:

semodule -l | grep myapache
semodule -l | grep mlogc

Is the context of mlogc executable file proper?

ls -alZ /usr/bin/mlogc

Something seems to have gone not as planned

>
> Based on these 3 AVCs audit2allow -R produces the following:
>
> ######################################
> require {
> type httpd_t;
> }
>
> #============= httpd_t ==============
> pcscd_read_pub_files(httpd_t)
>
> ######################################
>
> Is that what you would expect?
>
>
> Thanks again for your help...
>
> Mark
>
>
> Most recent AVCs
> ================
>
> Raw Audit Messages :
l>
> node=troodos.org.uk type=AVC msg=audit(1270666306.338:44518): avc: denied { getattr } for pid=32012 comm="mlogc" path="/var/run/pcscd.pub" dev=sda5 ino=362221 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270666306.338:44518): arch=40000003 syscall=195 success=yes exit=0 a0=1fc5ab a1=b643f9ac a2=d1eff4 a3=3 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { read } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { open } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270666306.342:44519): arch=40000003 syscall=5 success=yes exit=13 a0=1fc8ea a1=0 a2=1b6 a3=1fc8e8 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
> Raw Audit Messages :
>
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { read } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=AVC msg=audit(1270666306.342:44519): avc: denied { open } for pid=32012 comm="mlogc" name="pcscd.pid" dev=sda5 ino=362220 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_ubject_rcscd_var_run_t:s0 tclass=file
> node=troodos.org.uk type=SYSCALL msg=audit(1270666306.342:44519): arch=40000003 syscall=5 success=yes exit=13 a0=1fc8ea a1=0 a2=1b6 a3=1fc8e8 items=0 ppid=29448 pid=32012 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 08:51 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote:
> On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > > Hello all,
> > > >
> > > >
> > Have I missed something or misunderstood something?
>
> Yes it seems that the domain transition did not happen. are the modules installed:
>
> semodule -l | grep myapache
> semodule -l | grep mlogc

# semodule -l | grep myapache
myapache 1.0.0

# semodule -l | grep mlogc
mlogc 1.0.0


> Is the context of mlogc executable file proper?
>
> ls -alZ /usr/bin/mlogc

# ls -alZ /usr/bin/mlogc
-rwxr-xr-x. root root system_ubject_r:mlogc_exec_t:s0 /usr/bin/mlogc

> Something seems to have gone not as planned

Well all of that seems OK - I'm not sure why it's not working?

Thanks for your help so far though - it's much appreciated...

Mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 09:01 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Wed, Apr 07, 2010 at 09:51:24PM +0100, Arthur Dent wrote:
> On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote:
> > On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> > > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > > > Hello all,
> > > > >
> > > > >
> > > Have I missed something or misunderstood something?
> >
> > Yes it seems that the domain transition did not happen. are the modules installed:
> >
> > semodule -l | grep myapache
> > semodule -l | grep mlogc
>
> # semodule -l | grep myapache
> myapache 1.0.0
>
> # semodule -l | grep mlogc
> mlogc 1.0.0
>
>
> > Is the context of mlogc executable file proper?
> >
> > ls -alZ /usr/bin/mlogc
>
> # ls -alZ /usr/bin/mlogc
> -rwxr-xr-x. root root system_ubject_r:mlogc_exec_t:s0 /usr/bin/mlogc
>
> > Something seems to have gone not as planned
>
> Well all of that seems OK - I'm not sure why it's not working?
>
> Thanks for your help so far though - it's much appreciated...

You could try to remove the optional_policy(` tag and its closing ') tag, that might expose any errors if you build without those.

can you paste you modules? so that i can review them?



>
> Mark
>



> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 09:23 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Wed, 2010-04-07 at 23:01 +0200, Dominick Grift wrote:
> On Wed, Apr 07, 2010 at 09:51:24PM +0100, Arthur Dent wrote:
> > On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote:
> > > On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> > > > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > > > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > > > > Hello all,
> > > > > >
> > > > > >
> > > > Have I missed something or misunderstood something?
> > >
> > > Yes it seems that the domain transition did not happen. are the modules installed:
> > >
> > > semodule -l | grep myapache
> > > semodule -l | grep mlogc
> >
> > # semodule -l | grep myapache
> > myapache 1.0.0
> >
> > # semodule -l | grep mlogc
> > mlogc 1.0.0
> >
> >
> > > Is the context of mlogc executable file proper?
> > >
> > > ls -alZ /usr/bin/mlogc
> >
> > # ls -alZ /usr/bin/mlogc
> > -rwxr-xr-x. root root system_ubject_r:mlogc_exec_t:s0 /usr/bin/mlogc
> >
> > > Something seems to have gone not as planned
> >
> > Well all of that seems OK - I'm not sure why it's not working?
> >
> > Thanks for your help so far though - it's much appreciated...
>
> You could try to remove the optional_policy(` tag and its closing ') tag, that might expose any errors if you build without those.
>
> can you paste you modules? so that i can review them?

# cat mlogc.te
policy_module(mlogc, 1.0.0)

type mlogc_t;
type mlogc_exec_t;
application_domain(mlogc_t, mlogc_exec_t)

role system_r types mlogc_t;
permissive mlogc_t;

################################################## ##################

# cat mlogc.fc
/usr/bin/mlogc -- gen_context(system_ubject_r:mlogc_exec_t, s0)


################################################## ##################

# cat mlogc.if
## <summary>The ModSecurity Log Collector</summary>

########################################
## <summary>
## Execute MLOGC in the MLOGC domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mlogc_domtrans',`
gen_require(`
type mlogc_t, mlogc_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, mlogc_exec_t, mlogc_t)
')

################################################## ##################

# cat myapche.te
policy_module(myapache, 1.0.0)
optional_policy(`
gen_require(`
type httpd_t;
')

mlogc_domtrans(httpd_t)
')

################################################## ##################


Is that right?

Thank again. I do appreciate your help.


Mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 09:35 PM
Dominick Grift
 
Default Mod-security (mlogc) problem

On Wed, Apr 07, 2010 at 10:23:24PM +0100, Arthur Dent wrote:
> On Wed, 2010-04-07 at 23:01 +0200, Dominick Grift wrote:
> > On Wed, Apr 07, 2010 at 09:51:24PM +0100, Arthur Dent wrote:
> > > On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote:
> > > > On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> > > > > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > > > > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > > > > > Hello all,
> > > > > > >
> > > > > > >
> > > > > Have I missed something or misunderstood something?
> > > >
> > > > Yes it seems that the domain transition did not happen. are the modules installed:
> > > >
> > > > semodule -l | grep myapache
> > > > semodule -l | grep mlogc
> > >
> > > # semodule -l | grep myapache
> > > myapache 1.0.0
> > >
> > > # semodule -l | grep mlogc
> > > mlogc 1.0.0
> > >
> > >
> > > > Is the context of mlogc executable file proper?
> > > >
> > > > ls -alZ /usr/bin/mlogc
> > >
> > > # ls -alZ /usr/bin/mlogc
> > > -rwxr-xr-x. root root system_ubject_r:mlogc_exec_t:s0 /usr/bin/mlogc
> > >
> > > > Something seems to have gone not as planned
> > >
> > > Well all of that seems OK - I'm not sure why it's not working?
> > >
> > > Thanks for your help so far though - it's much appreciated...
> >
> > You could try to remove the optional_policy(` tag and its closing ') tag, that might expose any errors if you build without those.
> >
> > can you paste you modules? so that i can review them?
>
> # cat mlogc.te
> policy_module(mlogc, 1.0.0)
>
> type mlogc_t;
> type mlogc_exec_t;
> application_domain(mlogc_t, mlogc_exec_t)
>
> role system_r types mlogc_t;
> permissive mlogc_t;
>
> ################################################## ##################
>
> # cat mlogc.fc
> /usr/bin/mlogc -- gen_context(system_ubject_r:mlogc_exec_t, s0)
>
>
> ################################################## ##################
>
> # cat mlogc.if
> ## <summary>The ModSecurity Log Collector</summary>
>
> ########################################
> ## <summary>
> ## Execute MLOGC in the MLOGC domain.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`mlogc_domtrans',`
> gen_require(`
> type mlogc_t, mlogc_exec_t;
> ')
>
> corecmd_search_bin($1)
> domtrans_pattern($1, mlogc_exec_t, mlogc_t)
> ')
>
> ################################################## ##################
>
> # cat myapche.te
> policy_module(myapache, 1.0.0)
> optional_policy(`
> gen_require(`
> type httpd_t;
> ')
>
> mlogc_domtrans(httpd_t)
> ')
>
> ################################################## ##################
>
>
> Is that right?
>
> Thank again. I do appreciate your help.
>
>
> Mark
>

Yes looks fine. try the following myapache.te instead:

policy_module(myapache, 1.0.0)
gen_require(`
type httpd_t;
')
mlogc_domtrans(httpd_t)

build, install

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i *.pp

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-07-2010, 10:01 PM
Arthur Dent
 
Default Mod-security (mlogc) problem

On Wed, 2010-04-07 at 23:35 +0200, Dominick Grift wrote:

>
> Yes looks fine. try the following myapache.te instead:
>
> policy_module(myapache, 1.0.0)
> gen_require(`
> type httpd_t;
> ')
> mlogc_domtrans(httpd_t)
>
> build, install
>
> make -f /usr/share/selinux/devel/Makefile
> sudo semodule -i *.pp

OK - Caused a mere 16 AVCs (admittedly in permissive mode):

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_ubject_r:httpd_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_ubject_r:httpd_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { write } for pid=952 comm="mlogc" name="mlogc" dev=sda5 ino=578025 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { add_name } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=AVC msg=audit(1270677188.477:44957): avc: denied { create } for pid=952 comm="mlogc" name="mlogc-queue.log.new" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_ubject_r:httpd_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.477:44957): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677188.484:44958): avc: denied { remove_name } for pid=952 comm="mlogc" name="mlogc-queue.log" dev=sda5 ino=578431 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.484:44958): arch=40000003 syscall=38 success=yes exit=0 a0=84c01e8 a1=b76fd070 a2=7581e4 a3=0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677188.494:44959): avc: denied { rename } for pid=952 comm="mlogc" name="mlogc-queue.log.new" dev=sda5 ino=578432 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_ubject_r:httpd_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.494:44959): arch=40000003 syscall=38 success=yes exit=0 a0=b76fd170 a1=84c01e8 a2=7581e4 a3=0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677188.497:44960): avc: denied { write } for pid=952 comm="mlogc" name="mlogc-transaction.log" dev=sda5 ino=578031 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677188.497:44960): arch=40000003 syscall=194 success=yes exit=0 a0=5 a1=0 a2=0 a3=84c05c0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677208.496:44961): avc: denied { unlink } for pid=952 comm="mlogc" name="mlogc-queue.log.old" dev=sda5 ino=578432 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_ubject_r:httpd_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677208.496:44961): arch=40000003 syscall=10 success=yes exit=0 a0=b76fd070 a1=84c01e8 a2=7581e4 a3=0 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.661:44966): avc: denied { create } for pid=944 comm="httpd" name="20100407-2254" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:httpd_log_t:s0 tclass=dir
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.661:44966): arch=40000003 syscall=39 success=yes exit=0 a0=24e17a8 a1=1e8 a2=80a1e4 a3=24e1748 items=0 ppid=937 pid=944 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.673:44967): avc: denied { write } for pid=944 comm="httpd" name="20100407-225414-S7z-BlIrkOUAAAOwOYMAAAAB" dev=sda5 ino=658630 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_ubject_r:httpd_log_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.673:44967): arch=40000003 syscall=5 success=yes exit=19 a0=24e1748 a1=8241 a2=1a0 a3=836 items=0 ppid=937 pid=944 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.679:44968): avc: denied { setopt } for pid=1412 comm="mlogc" laddr=127.0.0.1 lport=56280 faddr=127.0.0.1 fport=8888 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=tcp_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.679:44968): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=b62fa5d0 a2=3ff8550 a3=b62fa640 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.682:44969): avc: denied { write } for pid=1412 comm="mlogc" laddr=127.0.0.1 lport=56280 faddr=127.0.0.1 fport=8888 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=tcp_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.682:44969): arch=40000003 syscall=102 success=yes exit=37 a0=9 a1=b62fa560 a2=3ff8550 a3=0 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.684:44970): avc: denied { create } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=udp_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.684:44970): arch=40000003 syscall=102 success=yes exit=7 a0=1 a1=b62fa5c0 a2=4cb9a8 a3=b577c630 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.685:44971): avc: denied { create } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.685:44971): arch=40000003 syscall=102 success=yes exit=7 a0=1 a1=b62fa400 a2=d1eff4 a3=b62fa5e8 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.685:44972): avc: denied { bind } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.685:44972): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=b62fa400 a2=d1eff4 a3=7 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.686:44973): avc: denied { getattr } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.686:44973): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=b62fa400 a2=d1eff4 a3=7 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1270677254.686:44974): avc: denied { write } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=AVC msg=audit(1270677254.686:44974): avc: denied { nlmsg_read } for pid=1412 comm="mlogc" scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=netlink_route_socket
node=troodos.org.uk type=SYSCALL msg=audit(1270677254.686:44974): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=b62f9330 a2=d1eff4 a3=0 items=0 ppid=937 pid=1412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 02:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org