Re: Mod-security (mlogc) problem

Dominick Grift <domg472@xxxxxxxxx> · Sun, 25 Apr 2010 20:35:34 +0200

On Sun, Apr 25, 2010 at 07:20:12PM +0100, Arthur Dent wrote:
> Hello Dominick,
> 
> I don't know if you remember all the painful details of the thread where
> you helped me solve my mlogc problems but, after running for a couple of
> weeks in enforcing mode I occasionally get these AVCs when my
> ModSecurity rule triggers a block which is reported in mlogc:
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1271810736.442:85299): avc: denied { read } for pid=30941 comm="mlogc" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1271810736.442:85299): arch=40000003 syscall=5 success=no exit=-13 a0=ceeb6e a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=30941 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1271810736.446:85300): avc: denied { read } for pid=30941 comm="mlogc" name="cpuinfo" dev=proc ino=4026531980 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1271810736.446:85300): arch=40000003 syscall=5 success=no exit=-13 a0=ceeb79 a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=30941 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1272206914.57:99302): avc: denied { read } for pid=2650 comm="mlogc" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1272206914.57:99302): arch=40000003 syscall=5 success=no exit=-13 a0=24bb6e a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=2650 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1272206914.61:99303): avc: denied { read } for pid=2650 comm="mlogc" name="cpuinfo" dev=proc ino=4026531980 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
> node=troodos.org.uk type=SYSCALL msg=audit(1272206914.61:99303): arch=40000003 syscall=5 success=no exit=-13 a0=24bb79 a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=2650 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> 
> Audit2allow suggests:
> 
> require {
> 	type mlogc_t;
> 	type proc_t;
> 	class file read;
> }
> 
> #============= mlogc_t ==============
> allow mlogc_t proc_t:file read;
> 
> But when I try to add that to my mlogc.te it chokes during the build
> process...

Chokes? what exactly gets printed to the screen?

try adding "kernel_read_system_state(mlogc_t) to your mlogc.te file and rebuild, reinstall.

> 
> I should point out that, as far as I can tell, everything still works
> despite the AVC denial...
> 
> Thanks yet again for your patient help!
> 
> Mark
>  

> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment:
pgpx5CTPqxVU8.pgp

Description: PGP signature
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux