Hello all,
Back in April Dominick Grift kindly helped me to create a new policy
module for mlogc on my Fedora11 installation.
(The original correspondence can be seen here:
http://lists.fedoraproject.org/pipermail/selinux/2010-April/012353.html)
In the last couple of days I have upgraded to F13 and, despite copying
and rebuilding the relevant policy modules, I am now getting another
raft of AVCs relating to mlogc.
To Summarise:
=============
ModSecurity Log Collector (mlogc) is used to send ModSecurity audit log
data to a console. It is installed as part of the Fedora rpm
mod_security-2.5.12-1.fc13.i686 which I installed as part of the
upgrade. The Actual Modsecurity Console (which receives the data) was
installed from source using the same tarball as was used on my F11
install.
With Dominick's help, these are the modules I created on the F11 box:
===========8<=======================================================
# cat mymlogc.te
policy_module(mymlogc, 1.0.10)
type mlogc_t;
type mlogc_exec_t;
type mlogc_var_log_t;
type mlogc_etc_t;
logging_log_file(mlogc_var_log_t);
logging_log_filetrans(mlogc_t, mlogc_var_log_t, { dir file })
application_domain(mlogc_t, mlogc_exec_t);
role system_r types mlogc_t;
# permissive mlogc_t;
manage_dirs_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
manage_files_pattern(mlogc_t, mlogc_var_log_t, mlogc_var_log_t)
read_files_pattern(mlogc_t, mlogc_etc_t, mlogc_etc_t)
files_search_etc(mlogc_t)
files_config_file(mlogc_etc_t)
files_read_usr_symlinks(mlogc_t)
files_read_etc_files(mlogc_t)
files_list_tmp(mlogc_t)
pcscd_read_pub_files(mlogc_t);
pcscd_stream_connect(mlogc_t)
miscfiles_read_localization(mlogc_t)
miscfiles_read_certs(mlogc_t)
dev_read_urand(mlogc_t)
userdom_use_user_terminals(mlogc_t)
#apache_manage_log(mlogc_t);
kernel_read_system_state(mlogc_t)
allow mlogc_t self:tcp_socket create_socket_perms;
allow mlogc_t self:udp_socket create_socket_perms;
allow mlogc_t self:netlink_route_socket create_netlink_socket_perms;
allow mlogc_t self:process { setsched getsched };
allow mlogc_t self:capability { sys_nice dac_override };
allow mlogc_t self:sem create_sem_perms;
corenet_all_recvfrom_netlabel(mlogc_t)
corenet_all_recvfrom_unlabeled(mlogc_t)
corenet_tcp_sendrecv_generic_if(mlogc_t)
corenet_tcp_sendrecv_generic_node(mlogc_t)
corenet_tcp_sendrecv_generic_port(mlogc_t)
corenet_tcp_bind_generic_node(mlogc_t)
corenet_sendrecv_generic_client_packets(mlogc_t)
corenet_tcp_connect_generic_port(mlogc_t)
===========8<=======================================================
===========8<=======================================================
# cat myapche.te
policy_module(myapache, 1.0.2)
gen_require(`
type httpd_t;
')
mlogc_domtrans(httpd_t)
mlogc_manage_log(httpd_t)
mlogc_signal(httpd_t)
===========8<=======================================================
And these are the new denials. Some worrying ones such as requiring
access to key files...
There were 12 AVCs relating to a single incident, but I have removed
ones I think are duplicates:
Raw Audit Messages :
node=troodos type=AVC msg=audit(1281734421.635:29370): avc: denied { write } for pid=3512
comm="mlogc" name="cert9.db" dev=sda6 ino=91782
scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
node=troodos type=SYSCALL msg=audit(1281734421.635:29370): arch=40000003 syscall=5
success=no exit=-13 a0=b5926308 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=system_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos type=AVC msg=audit(1281734421.847:29371): avc: denied { write } for pid=3512
comm="mlogc" name="tmp" dev=sda6 ino=1549
scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.847:29371): arch=40000003 syscall=33
success=no exit=-13 a0=1e6774 a1=7 a2=1fca64 a3=2 items=0 ppid=1506 pid=3512
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=system_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos type=AVC msg=audit(1281734421.847:29373): avc: denied { write } for pid=3512
comm="mlogc" name="tmp" dev=sda6 ino=310
scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.847:29373): arch=40000003 syscall=33
success=no exit=-13 a0=1e6778 a1=7 a2=1fca64 a3=4 items=0 ppid=1506 pid=3512
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=system_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos type=AVC msg=audit(1281734421.847:29374): avc: denied { write } for pid=3512
comm="mlogc" name="/" dev=sda6 ino=2
scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.847:29374): arch=40000003 syscall=33
success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=system_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos type=AVC msg=audit(1281734421.852:29376): avc: denied { write } for pid=3512
comm="mlogc" name="key4.db" dev=sda6 ino=19637
scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
node=troodos type=SYSCALL msg=audit(1281734421.852:29376): arch=40000003 syscall=5
success=no exit=-13 a0=b5933cf8 a1=8042 a2=1a4 a3=0 items=0 ppid=1506 pid=3512
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=system_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos type=AVC msg=audit(1281734421.861:29380): avc: denied { write } for pid=3512
comm="mlogc" name="/" dev=sda6 ino=2
scontext=system_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=troodos type=SYSCALL msg=audit(1281734421.861:29380): arch=40000003 syscall=33
success=no exit=-13 a0=1e4d73 a1=7 a2=1fca64 a3=5 items=0 ppid=1506 pid=3512
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc"
subj=system_u:system_r:mlogc_t:s0 key=(null)
And this is what audit2allow makes of them...
require {
type mlogc_t;
}
#============= mlogc_t ==============
files_delete_root_dir_entry(mlogc_t)
files_delete_tmp_dir_entry(mlogc_t)
miscfiles_manage_cert_files(mlogc_t)
Should I add these to the above policy, or is there some other way?
Thanks in advance for any help or suggestions...
Mark