[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[Elia Pinto]

Add the right labelling support for the
ModSecurity Audit Log Collector(mlogc).
mlogc is started by apache and run with the
same selinux security context.

Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
---
This is the second revision. httpd_log_t context was not 
sufficient for mlogc

I'm sorry for the noice, eventually, but I'm not sure that the patch has arrived on the mailing list 
and so i send it back from another account for safety.
 apache.fc |    1 +
 1 file changed, 1 insertion(+)

diff --git a/apache.fc b/apache.fc
index 4e90b04..ec0c0fb 100644
--- a/apache.fc
+++ b/apache.fc
@@ -125,6 +125,7 @@ ifdef(`distro_suse',`
 /var/log/cherokee(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/glpi(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/log/httpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/horde2(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-- 
1.7.10.4

[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[Christopher J. PeBenito]

On 06/10/2014 11:22 AM, Elia Pinto wrote:
> Add the right labelling support for the
> ModSecurity Audit Log Collector(mlogc).
> mlogc is started by apache and run with the
> same selinux security context.
> 
> Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
> ---
> This is the second revision. httpd_log_t context was not 
> sufficient for mlogc
 
Why was httpd_log_t insufficient for mlogc?


> diff --git a/apache.fc b/apache.fc
> index 4e90b04..ec0c0fb 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
>  /var/log/cherokee(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/glpi(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /var/log/httpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/horde2(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[Elia Pinto]

Il 11/giu/2014 16:12 "Christopher J. PeBenito" <cpebenito@tresys.com> ha
scritto:
>
> On 06/10/2014 11:22 AM, Elia Pinto wrote:
> > Add the right labelling support for the
> > ModSecurity Audit Log Collector(mlogc).
> > mlogc is started by apache and run with the
> > same selinux security context.
> >
> > Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
> > ---
> > This is the second revision. httpd_log_t context was not
> > sufficient for mlogc
>
> Why was httpd_log_t insufficient for mlogc?
In particular Because mlogc create new directory in /var/log/mlogc also.

Thanks

Best regards
>
>
> > diff --git a/apache.fc b/apache.fc
> > index 4e90b04..ec0c0fb 100644
> > --- a/apache.fc
> > +++ b/apache.fc
> > @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
> >  /var/log/cherokee(/.*)?
 gen_context(system_u:object_r:httpd_log_t,s0)
> >  /var/log/dirsrv/admin-serv(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> >  /var/log/glpi(/.*)?  gen_context(system_u:object_r:httpd_log_t,s0)
> > +/var/log/mlogc(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> >  /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> >  /var/log/horde2(/.*)?
 gen_context(system_u:object_r:httpd_log_t,s0)
> >  /var/log/lighttpd(/.*)?
 gen_context(system_u:object_r:httpd_log_t,s0)
> >
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140611/48364377/attachment.html 

[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[Christopher J. PeBenito]

On 06/11/2014 10:55 AM, Elia Pinto wrote:
> 
> Il 11/giu/2014 16:12 "Christopher J. PeBenito" <cpebenito at tresys.com <mailto:cpebenito@tresys.com>> ha scritto:
>>
>> On 06/10/2014 11:22 AM, Elia Pinto wrote:
>> > Add the right labelling support for the
>> > ModSecurity Audit Log Collector(mlogc).
>> > mlogc is started by apache and run with the
>> > same selinux security context.
>> >
>> > Signed-off-by: Elia Pinto <andronicus.spiros at gmail.com <mailto:andronicus.spiros@gmail.com>>
>> > ---
>> > This is the second revision. httpd_log_t context was not
>> > sufficient for mlogc
>>
>> Why was httpd_log_t insufficient for mlogc?
> In particular Because mlogc create new directory in /var/log/mlogc also.

Which domain is this running in? Is it httpd_t?  That domain has permissions to create dirs inside httpd_log_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[Elia Pinto]

2014-06-13 14:45 GMT+02:00 Christopher J. PeBenito <cpebenito@tresys.com>:

> On 06/11/2014 10:55 AM, Elia Pinto wrote:
> >
> > Il 11/giu/2014 16:12 "Christopher J. PeBenito" <cpebenito@tresys.com
> <mailto:cpebenito@tresys.com>> ha scritto:
> >>
> >> On 06/10/2014 11:22 AM, Elia Pinto wrote:
> >> > Add the right labelling support for the
> >> > ModSecurity Audit Log Collector(mlogc).
> >> > mlogc is started by apache and run with the
> >> > same selinux security context.
> >> >
> >> > Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com <mailto:
> andronicus.spiros at gmail.com>>
> >> > ---
> >> > This is the second revision. httpd_log_t context was not
> >> > sufficient for mlogc
> >>
> >> Why was httpd_log_t insufficient for mlogc?
> > In particular Because mlogc create new directory in /var/log/mlogc also.
>
> Which domain is this running in? Is it httpd_t?  That domain has
> permissions to create dirs inside httpd_log_t.
>
> Sorry for the long delay and for not being precise in the response, but I
was traveling that day

The AVC audit log with for mlogc is the following ( using httpd_log_t for
the file/directory context)

type=SYSCALL msg=audit(1401093840.723:102165): arch=c000003e syscall=82
success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1401093840.723:102165): avc:  denied  { rename } for
pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=296
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

type=SYSCALL msg=audit(1401093840.723:102166): arch=c000003e syscall=87
success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1401093840.723:102166): avc:  denied  { unlink } for
pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=296
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

type=SYSCALL msg=audit(1401093840.722:102164): arch=c000003e syscall=2
success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0
ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1401093840.722:102164): avc:  denied  { write } for
pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

type=SYSCALL msg=audit(1401093897.332:102173): arch=c000003e syscall=2
success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0
ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1401093897.332:102173): avc:  denied  { write } for
pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=297
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

type=SYSCALL msg=audit(1401093897.333:102174): arch=c000003e syscall=82
success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1401093897.333:102174): avc:  denied  { rename } for
pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

type=SYSCALL msg=audit(1401093897.333:102175): arch=c000003e syscall=87
success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1401093897.333:102175): avc:  denied  { unlink } for
pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

By analyzing the current selinux reference
policy selinux-policy-targeted-3.7.19-231.el6_5.1.noarch (RHEL 6.5 of
course) with sesearch

cat /tmp/sys_rw_t
Found 3 semantic av rules:
   allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow httpd_t httpdcontent : file { ioctl read write create getattr
setattr lock append unlink link rename execute open } ;

Found 4 semantic av rules:
   allow httpd_t httpd_sys_rw_content_t : dir { getattr search open } ;
   allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
   allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
   allow httpd_t httpdcontent : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search rmdir
open } ;

[root at esil781 ~]# cat /tmp/log_t
Found 2 semantic av rules:
   allow httpd_t httpd_log_t : file { ioctl read create getattr lock append
open } ;
   allow daemon logfile : file { ioctl getattr lock append open } ;

Found 2 semantic av rules:
   allow httpd_t httpd_log_t : dir { ioctl write create getattr setattr
lock add_name search open } ;
   allow daemon logfile : dir { getattr search open } ;


the file context httpd_sys_rw_content_t seems the most right for
/var/log/mlogc.

Thanks and Best Regards

 --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140616/766ce374/attachment.html 

[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[Christopher J. PeBenito]

On 06/10/2014 11:22 AM, Elia Pinto wrote:
> Add the right labelling support for the
> ModSecurity Audit Log Collector(mlogc).
> mlogc is started by apache and run with the
> same selinux security context.
> 
> Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
> ---
> This is the second revision. httpd_log_t context was not 
> sufficient for mlogc
> 
> I'm sorry for the noice, eventually, but I'm not sure that the patch has arrived on the mailing list 
> and so i send it back from another account for safety.
>  apache.fc |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/apache.fc b/apache.fc
> index 4e90b04..ec0c0fb 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
>  /var/log/cherokee(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/glpi(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
>  /var/log/httpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/horde2(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc

[Elia Pinto]

From: Elia Pinto <gitter.spiros@gmail.com>

Add the right labelling support for the
ModSecurity Audit Log Collector(mlogc).
mlogc is started by apache and run with the
same selinux security context.

Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
---
This is the second revision. httpd_log_t context was not 
sufficient for mlogc
 apache.fc |    1 +
 1 file changed, 1 insertion(+)

diff --git a/apache.fc b/apache.fc
index 4e90b04..ec0c0fb 100644
--- a/apache.fc
+++ b/apache.fc
@@ -125,6 +125,7 @@ ifdef(`distro_suse',`
 /var/log/cherokee(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/glpi(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/log/httpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/horde2(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-- 
1.7.10.4