From: andronicus.spiros@gmail.com (Elia Pinto) Date: Mon, 16 Jun 2014 19:12:29 +0200 Subject: [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc In-Reply-To: <539AF274.1000806@tresys.com> References: <1402413767-23181-1-git-send-email-andronicus.spiros@gmail.com> <53986418.5020501@tresys.com> <539AF274.1000806@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2014-06-13 14:45 GMT+02:00 Christopher J. PeBenito : > On 06/11/2014 10:55 AM, Elia Pinto wrote: > > > > Il 11/giu/2014 16:12 "Christopher J. PeBenito" > ha scritto: > >> > >> On 06/10/2014 11:22 AM, Elia Pinto wrote: > >> > Add the right labelling support for the > >> > ModSecurity Audit Log Collector(mlogc). > >> > mlogc is started by apache and run with the > >> > same selinux security context. > >> > > >> > Signed-off-by: Elia Pinto andronicus.spiros at gmail.com>> > >> > --- > >> > This is the second revision. httpd_log_t context was not > >> > sufficient for mlogc > >> > >> Why was httpd_log_t insufficient for mlogc? > > In particular Because mlogc create new directory in /var/log/mlogc also. > > Which domain is this running in? Is it httpd_t? That domain has > permissions to create dirs inside httpd_log_t. > > Sorry for the long delay and for not being precise in the response, but I was traveling that day The AVC audit log with for mlogc is the following ( using httpd_log_t for the file/directory context) type=SYSCALL msg=audit(1401093840.723:102165): arch=c000003e syscall=82 success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575 items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1401093840.723:102165): avc: denied { rename } for pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=296 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file type=SYSCALL msg=audit(1401093840.723:102166): arch=c000003e syscall=87 success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575 items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1401093840.723:102166): avc: denied { unlink } for pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=296 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file type=SYSCALL msg=audit(1401093840.722:102164): arch=c000003e syscall=2 success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1401093840.722:102164): avc: denied { write } for pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=268 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file type=SYSCALL msg=audit(1401093897.332:102173): arch=c000003e syscall=2 success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1401093897.332:102173): avc: denied { write } for pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=297 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file type=SYSCALL msg=audit(1401093897.333:102174): arch=c000003e syscall=82 success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575 items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1401093897.333:102174): avc: denied { rename } for pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=268 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file type=SYSCALL msg=audit(1401093897.333:102175): arch=c000003e syscall=87 success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575 items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1401093897.333:102175): avc: denied { unlink } for pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=268 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file By analyzing the current selinux reference policy selinux-policy-targeted-3.7.19-231.el6_5.1.noarch (RHEL 6.5 of course) with sesearch cat /tmp/sys_rw_t Found 3 semantic av rules: allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; Found 4 semantic av rules: allow httpd_t httpd_sys_rw_content_t : dir { getattr search open } ; allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow httpd_t httpdcontent : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [root at esil781 ~]# cat /tmp/log_t Found 2 semantic av rules: allow httpd_t httpd_log_t : file { ioctl read create getattr lock append open } ; allow daemon logfile : file { ioctl getattr lock append open } ; Found 2 semantic av rules: allow httpd_t httpd_log_t : dir { ioctl write create getattr setattr lock add_name search open } ; allow daemon logfile : dir { getattr search open } ; the file context httpd_sys_rw_content_t seems the most right for /var/log/mlogc. Thanks and Best Regards -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140616/766ce374/attachment.html