Add the right labelling support for the
ModSecurity Audit Log Collector(mlogc).
mlogc is started by apache and run with the
same selinux security context.
Signed-off-by: Elia Pinto <[email protected]>
---
This is the second revision. httpd_log_t context was not
sufficient for mlogc
I'm sorry for the noice, eventually, but I'm not sure that the patch has arrived on the mailing list
and so i send it back from another account for safety.
apache.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/apache.fc b/apache.fc
index 4e90b04..ec0c0fb 100644
--- a/apache.fc
+++ b/apache.fc
@@ -125,6 +125,7 @@ ifdef(`distro_suse',`
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--
1.7.10.4
On 06/10/2014 11:22 AM, Elia Pinto wrote:
> Add the right labelling support for the
> ModSecurity Audit Log Collector(mlogc).
> mlogc is started by apache and run with the
> same selinux security context.
>
> Signed-off-by: Elia Pinto <[email protected]>
> ---
> This is the second revision. httpd_log_t context was not
> sufficient for mlogc
Why was httpd_log_t insufficient for mlogc?
> diff --git a/apache.fc b/apache.fc
> index 4e90b04..ec0c0fb 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
> /var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Il 11/giu/2014 16:12 "Christopher J. PeBenito" <[email protected]> ha
scritto:
>
> On 06/10/2014 11:22 AM, Elia Pinto wrote:
> > Add the right labelling support for the
> > ModSecurity Audit Log Collector(mlogc).
> > mlogc is started by apache and run with the
> > same selinux security context.
> >
> > Signed-off-by: Elia Pinto <[email protected]>
> > ---
> > This is the second revision. httpd_log_t context was not
> > sufficient for mlogc
>
> Why was httpd_log_t insufficient for mlogc?
In particular Because mlogc create new directory in /var/log/mlogc also.
Thanks
Best regards
>
>
> > diff --git a/apache.fc b/apache.fc
> > index 4e90b04..ec0c0fb 100644
> > --- a/apache.fc
> > +++ b/apache.fc
> > @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
> > /var/log/cherokee(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/dirsrv/admin-serv(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> > +/var/log/mlogc(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> > /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/horde2(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/lighttpd(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> >
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140611/48364377/attachment.html
On 06/11/2014 10:55 AM, Elia Pinto wrote:
>
> Il 11/giu/2014 16:12 "Christopher J. PeBenito" <cpebenito at tresys.com <mailto:[email protected]>> ha scritto:
>>
>> On 06/10/2014 11:22 AM, Elia Pinto wrote:
>> > Add the right labelling support for the
>> > ModSecurity Audit Log Collector(mlogc).
>> > mlogc is started by apache and run with the
>> > same selinux security context.
>> >
>> > Signed-off-by: Elia Pinto <andronicus.spiros at gmail.com <mailto:[email protected]>>
>> > ---
>> > This is the second revision. httpd_log_t context was not
>> > sufficient for mlogc
>>
>> Why was httpd_log_t insufficient for mlogc?
> In particular Because mlogc create new directory in /var/log/mlogc also.
Which domain is this running in? Is it httpd_t? That domain has permissions to create dirs inside httpd_log_t.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
2014-06-13 14:45 GMT+02:00 Christopher J. PeBenito <[email protected]>:
> On 06/11/2014 10:55 AM, Elia Pinto wrote:
> >
> > Il 11/giu/2014 16:12 "Christopher J. PeBenito" <[email protected]
> <mailto:[email protected]>> ha scritto:
> >>
> >> On 06/10/2014 11:22 AM, Elia Pinto wrote:
> >> > Add the right labelling support for the
> >> > ModSecurity Audit Log Collector(mlogc).
> >> > mlogc is started by apache and run with the
> >> > same selinux security context.
> >> >
> >> > Signed-off-by: Elia Pinto <[email protected] <mailto:
> andronicus.spiros at gmail.com>>
> >> > ---
> >> > This is the second revision. httpd_log_t context was not
> >> > sufficient for mlogc
> >>
> >> Why was httpd_log_t insufficient for mlogc?
> > In particular Because mlogc create new directory in /var/log/mlogc also.
>
> Which domain is this running in? Is it httpd_t? That domain has
> permissions to create dirs inside httpd_log_t.
>
> Sorry for the long delay and for not being precise in the response, but I
was traveling that day
The AVC audit log with for mlogc is the following ( using httpd_log_t for
the file/directory context)
type=SYSCALL msg=audit(1401093840.723:102165): arch=c000003e syscall=82
success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093840.723:102165): avc: denied { rename } for
pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=296
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093840.723:102166): arch=c000003e syscall=87
success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093840.723:102166): avc: denied { unlink } for
pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=296
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093840.722:102164): arch=c000003e syscall=2
success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0
ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093840.722:102164): avc: denied { write } for
pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093897.332:102173): arch=c000003e syscall=2
success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0
ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093897.332:102173): avc: denied { write } for
pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=297
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093897.333:102174): arch=c000003e syscall=82
success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093897.333:102174): avc: denied { rename } for
pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093897.333:102175): arch=c000003e syscall=87
success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093897.333:102175): avc: denied { unlink } for
pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
By analyzing the current selinux reference
policy selinux-policy-targeted-3.7.19-231.el6_5.1.noarch (RHEL 6.5 of
course) with sesearch
cat /tmp/sys_rw_t
Found 3 semantic av rules:
allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow httpd_t httpdcontent : file { ioctl read write create getattr
setattr lock append unlink link rename execute open } ;
Found 4 semantic av rules:
allow httpd_t httpd_sys_rw_content_t : dir { getattr search open } ;
allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
allow httpd_t httpdcontent : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search rmdir
open } ;
[root at esil781 ~]# cat /tmp/log_t
Found 2 semantic av rules:
allow httpd_t httpd_log_t : file { ioctl read create getattr lock append
open } ;
allow daemon logfile : file { ioctl getattr lock append open } ;
Found 2 semantic av rules:
allow httpd_t httpd_log_t : dir { ioctl write create getattr setattr
lock add_name search open } ;
allow daemon logfile : dir { getattr search open } ;
the file context httpd_sys_rw_content_t seems the most right for
/var/log/mlogc.
Thanks and Best Regards
--
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140616/766ce374/attachment.html
On 06/10/2014 11:22 AM, Elia Pinto wrote:
> Add the right labelling support for the
> ModSecurity Audit Log Collector(mlogc).
> mlogc is started by apache and run with the
> same selinux security context.
>
> Signed-off-by: Elia Pinto <[email protected]>
> ---
> This is the second revision. httpd_log_t context was not
> sufficient for mlogc
>
> I'm sorry for the noice, eventually, but I'm not sure that the patch has arrived on the mailing list
> and so i send it back from another account for safety.
> apache.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/apache.fc b/apache.fc
> index 4e90b04..ec0c0fb 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
> /var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com