Hello all, Back in April Dominick Grift kindly helped me to create a new policy module for mlogc on my Fedora11 installation. (The original correspondence can be seen here: http://lists.fedoraproject.org/pipermail/selinux/2010-April/012353.html) In the last couple of days I have upgraded to F13 and, despite copying and rebuilding the relevant policy modules, I am now getting another raft of AVCs relating to mlogc. To Summarise: ============= ModSecurity Log Collector (mlogc) is used to send ModSecurity audit log data to a console. It is installed as part of the Fedora rpm mod_security-2.5.12-1.fc13.i686 which I installed as part of the upgrade. The Actual Modsecurity Console (which receives the data) was installed from source using the same tarball as was used on my F11 install. With Dominick's help, these are the modules I created on the F11 box: ===========8<======================================================= # cat mymlogc.te policy_module(mymlogc, 1.0.10) type mlogc_t; type mlogc_exec_t; type mlogc_var_log_t; type mlogc_etc_t; logging_log_file(mlogc_var_log_t); logging_log_filetrans(mlogc_t, mlogc_var_log_t, { dir file }) application_domain(mlogc_t, mlogc_exec_t); role system_r types mlogc_t; # permissive mlogc_t; manage_dirs_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t) manage_files_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t) read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t) files_search_etc(mlogc_t) files_config_file(mlogc_etc_t) files_read_usr_symlinks(mlogc_t) files_read_etc_files(mlogc_t) files_list_tmp(mlogc_t) pcscd_read_pub_files(mlogc_t); pcscd_stream_connect(mlogc_t) miscfiles_read_localization(mlogc_t) miscfiles_read_certs(mlogc_t) dev_read_urand(mlogc_t) userdom_use_user_terminals(mlogc_t) #apache_manage_log(mlogc_t); kernel_read_system_state(mlogc_t) allow mlogc_t self:tcp_socket create_socket_perms; allow mlogc_t self:udp_socket create_socket_perms; allow mlogc_t self:netlink_route_socket create_netlink_socket_perms; allow mlogc_t self:process { setsched getsched }; allow mlogc_t self:capability { sys_nice dac_override }; allow mlogc_t self:sem create_sem_perms; corenet_all_recvfrom_netlabel(mlogc_t) corenet_all_recvfrom_unlabeled(mlogc_t) corenet_tcp_sendrecv_generic_if(mlogc_t) corenet_tcp_sendrecv_generic_node(mlogc_t) corenet_tcp_sendrecv_generic_port(mlogc_t) corenet_tcp_bind_generic_node(mlogc_t) corenet_sendrecv_generic_client_packets(mlogc_t) corenet_tcp_connect_generic_port(mlogc_t) ===========8<======================================================= ===========8<======================================================= # cat myapche.te policy_module(myapache, 1.0.2) gen_require(` type httpd_t; ') mlogc_domtrans(httpd_t) mlogc_manage_log(httpd_t) mlogc_signal(httpd_t) ===========8<======================================================= And these are the new denials. Some worrying ones such as requiring access to key files... There were 12 AVCs relating to a single incident, but I have removed ones I think are duplicates: Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.635:29370): avc: denied { write } for pid=3512 comm="mlogc" name="cert9.db" dev=sda6 ino=91782 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file node=troodos type=SYSCALL msg=audit(1281734421.635:29370): arch=40000003 syscall=5 success=no exit=-13 a0=b5926308 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.847:29371): avc: denied { write } for pid=3512 comm="mlogc" name="tmp" dev=sda6 ino=1549 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.847:29371): arch=40000003 syscall=33 success=no exit=-13 a0=1e6774 a1=7 a2=1fca64 a3=2 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.847:29373): avc: denied { write } for pid=3512 comm="mlogc" name="tmp" dev=sda6 ino=310 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.847:29373): arch=40000003 syscall=33 success=no exit=-13 a0=1e6778 a1=7 a2=1fca64 a3=4 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.847:29374): avc: denied { write } for pid=3512 comm="mlogc" name="/" dev=sda6 ino=2 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.847:29374): arch=40000003 syscall=33 success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.852:29376): avc: denied { write } for pid=3512 comm="mlogc" name="key4.db" dev=sda6 ino=19637 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file node=troodos type=SYSCALL msg=audit(1281734421.852:29376): arch=40000003 syscall=5 success=no exit=-13 a0=b5933cf8 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) Raw Audit Messages : node=troodos type=AVC msg=audit(1281734421.861:29380): avc: denied { write } for pid=3512 comm="mlogc" name="/" dev=sda6 ino=2 scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir node=troodos type=SYSCALL msg=audit(1281734421.861:29380): arch=40000003 syscall=33 success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=system_u:system_r:mlogc_t:s0 key=(null) And this is what audit2allow makes of them... require { type mlogc_t; } #============= mlogc_t ============== files_delete_root_dir_entry(mlogc_t) files_delete_tmp_dir_entry(mlogc_t) miscfiles_manage_cert_files(mlogc_t) Should I add these to the above policy, or is there some other way? Thanks in advance for any help or suggestions... Mark -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
