On 08/31/2010 08:33 PM, Arthur Dent wrote: > On Sat, 2010-08-14 at 10:45 +0200, Dominick Grift wrote: >> On 08/14/2010 10:06 AM, Arthur Dent wrote: >> >>> And this is what audit2allow makes of them... >>> >>> require { >>> type mlogc_t; >>> } >>> >>> #============= mlogc_t ============== >>> files_delete_root_dir_entry(mlogc_t) >>> files_delete_tmp_dir_entry(mlogc_t) >>> miscfiles_manage_cert_files(mlogc_t) >>> >>> >>> Should I add these to the above policy, or is there some other way? >>> >>> Thanks in advance for any help or suggestions... >>> >>> Mark >>> >> >> There are some issues: >> >> 1. I would go here: >> https://lists.sourceforge.net/lists/listinfo/mod-security-users and ask >> if it is normal that mlogc writes to certificate databases. Its trying >> to write to files like: cert9.db, key4.db. > > OK - Sorry it's taken a while to get back to this - but I had the > discussion over on the mod-sec list, had to set up a strace and send the > strace log. > > This is what Brian Rectanus had to say having analysed the strace log: > > ====================8<================================================= > > Looking at the strace logs, it first tries to open those files > read/write, but cannot, so it resorts to read only access. I do not > see any calls to write to those files, though: > > 14612 open("/etc/pki/nssdb/key4.db", O_RDWR|O_CREAT|O_LARGEFILE, 0644) > = -1 EACCES (Permission denied) > 14612 open("/etc/pki/nssdb/key4.db", O_RDONLY|O_LARGEFILE) = 11 > > 14612 open("/etc/pki/nssdb/cert9.db", O_RDWR|O_CREAT|O_LARGEFILE, > 0644) = -1 EACCES (Permission denied) > 14612 open("/etc/pki/nssdb/cert9.db", O_RDONLY|O_LARGEFILE) = 8 > > I imagine that those attempts at opening read/write are what is > triggering selinux. This is the curl library access these files for > certificate verification (via mozilla's NSS library). They are sqlite > DBs. I am not sure why it is trying to access them read/write, > though. It looks like NSS support was added to curl with version > 7.19.7. If it is a problem (and it may be), then you will probably > have to take it up with curl folks. However, they will probably tell > you it is a libnss issue :) > > Sorry I cannot help more. > > -B > > ====================8<================================================= > > Well - Where does that leave me? > > Mark > > > I guess you will have to decide for yourself whether you want to permit mlogc to read and write your system certificate files. Try to reproduce the issue in permissive mode and enclose the AVC denials so that we can extend the mlogc module. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux