* [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc
@ 2014-06-10 15:22 Elia Pinto
2014-06-11 14:13 ` Christopher J. PeBenito
2014-06-17 12:24 ` Christopher J. PeBenito
0 siblings, 2 replies; 7+ messages in thread
From: Elia Pinto @ 2014-06-10 15:22 UTC (permalink / raw)
To: refpolicy
Add the right labelling support for the
ModSecurity Audit Log Collector(mlogc).
mlogc is started by apache and run with the
same selinux security context.
Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
---
This is the second revision. httpd_log_t context was not
sufficient for mlogc
I'm sorry for the noice, eventually, but I'm not sure that the patch has arrived on the mailing list
and so i send it back from another account for safety.
apache.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/apache.fc b/apache.fc
index 4e90b04..ec0c0fb 100644
--- a/apache.fc
+++ b/apache.fc
@@ -125,6 +125,7 @@ ifdef(`distro_suse',`
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc
2014-06-10 15:22 [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc Elia Pinto
@ 2014-06-11 14:13 ` Christopher J. PeBenito
2014-06-11 14:55 ` Elia Pinto
2014-06-17 12:24 ` Christopher J. PeBenito
1 sibling, 1 reply; 7+ messages in thread
From: Christopher J. PeBenito @ 2014-06-11 14:13 UTC (permalink / raw)
To: refpolicy
On 06/10/2014 11:22 AM, Elia Pinto wrote:
> Add the right labelling support for the
> ModSecurity Audit Log Collector(mlogc).
> mlogc is started by apache and run with the
> same selinux security context.
>
> Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
> ---
> This is the second revision. httpd_log_t context was not
> sufficient for mlogc
Why was httpd_log_t insufficient for mlogc?
> diff --git a/apache.fc b/apache.fc
> index 4e90b04..ec0c0fb 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
> /var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc
2014-06-11 14:13 ` Christopher J. PeBenito
@ 2014-06-11 14:55 ` Elia Pinto
2014-06-13 12:45 ` Christopher J. PeBenito
0 siblings, 1 reply; 7+ messages in thread
From: Elia Pinto @ 2014-06-11 14:55 UTC (permalink / raw)
To: refpolicy
Il 11/giu/2014 16:12 "Christopher J. PeBenito" <cpebenito@tresys.com> ha
scritto:
>
> On 06/10/2014 11:22 AM, Elia Pinto wrote:
> > Add the right labelling support for the
> > ModSecurity Audit Log Collector(mlogc).
> > mlogc is started by apache and run with the
> > same selinux security context.
> >
> > Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
> > ---
> > This is the second revision. httpd_log_t context was not
> > sufficient for mlogc
>
> Why was httpd_log_t insufficient for mlogc?
In particular Because mlogc create new directory in /var/log/mlogc also.
Thanks
Best regards
>
>
> > diff --git a/apache.fc b/apache.fc
> > index 4e90b04..ec0c0fb 100644
> > --- a/apache.fc
> > +++ b/apache.fc
> > @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
> > /var/log/cherokee(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/dirsrv/admin-serv(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> > +/var/log/mlogc(/.*)?
gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> > /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/horde2(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> > /var/log/lighttpd(/.*)?
gen_context(system_u:object_r:httpd_log_t,s0)
> >
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140611/48364377/attachment.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc
2014-06-11 14:55 ` Elia Pinto
@ 2014-06-13 12:45 ` Christopher J. PeBenito
2014-06-16 17:12 ` Elia Pinto
0 siblings, 1 reply; 7+ messages in thread
From: Christopher J. PeBenito @ 2014-06-13 12:45 UTC (permalink / raw)
To: refpolicy
On 06/11/2014 10:55 AM, Elia Pinto wrote:
>
> Il 11/giu/2014 16:12 "Christopher J. PeBenito" <cpebenito at tresys.com <mailto:cpebenito@tresys.com>> ha scritto:
>>
>> On 06/10/2014 11:22 AM, Elia Pinto wrote:
>> > Add the right labelling support for the
>> > ModSecurity Audit Log Collector(mlogc).
>> > mlogc is started by apache and run with the
>> > same selinux security context.
>> >
>> > Signed-off-by: Elia Pinto <andronicus.spiros at gmail.com <mailto:andronicus.spiros@gmail.com>>
>> > ---
>> > This is the second revision. httpd_log_t context was not
>> > sufficient for mlogc
>>
>> Why was httpd_log_t insufficient for mlogc?
> In particular Because mlogc create new directory in /var/log/mlogc also.
Which domain is this running in? Is it httpd_t? That domain has permissions to create dirs inside httpd_log_t.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc
2014-06-13 12:45 ` Christopher J. PeBenito
@ 2014-06-16 17:12 ` Elia Pinto
0 siblings, 0 replies; 7+ messages in thread
From: Elia Pinto @ 2014-06-16 17:12 UTC (permalink / raw)
To: refpolicy
2014-06-13 14:45 GMT+02:00 Christopher J. PeBenito <cpebenito@tresys.com>:
> On 06/11/2014 10:55 AM, Elia Pinto wrote:
> >
> > Il 11/giu/2014 16:12 "Christopher J. PeBenito" <cpebenito@tresys.com
> <mailto:cpebenito@tresys.com>> ha scritto:
> >>
> >> On 06/10/2014 11:22 AM, Elia Pinto wrote:
> >> > Add the right labelling support for the
> >> > ModSecurity Audit Log Collector(mlogc).
> >> > mlogc is started by apache and run with the
> >> > same selinux security context.
> >> >
> >> > Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com <mailto:
> andronicus.spiros at gmail.com>>
> >> > ---
> >> > This is the second revision. httpd_log_t context was not
> >> > sufficient for mlogc
> >>
> >> Why was httpd_log_t insufficient for mlogc?
> > In particular Because mlogc create new directory in /var/log/mlogc also.
>
> Which domain is this running in? Is it httpd_t? That domain has
> permissions to create dirs inside httpd_log_t.
>
> Sorry for the long delay and for not being precise in the response, but I
was traveling that day
The AVC audit log with for mlogc is the following ( using httpd_log_t for
the file/directory context)
type=SYSCALL msg=audit(1401093840.723:102165): arch=c000003e syscall=82
success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093840.723:102165): avc: denied { rename } for
pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=296
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093840.723:102166): arch=c000003e syscall=87
success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093840.723:102166): avc: denied { unlink } for
pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=296
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093840.722:102164): arch=c000003e syscall=2
success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0
ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093840.722:102164): avc: denied { write } for
pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093897.332:102173): arch=c000003e syscall=2
success=yes exit=6 a0=7f9053b21c50 a1=2c1 a2=1b6 a3=7f9053b21b4f items=0
ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093897.332:102173): avc: denied { write } for
pid=539 comm="mlogc" name="mlogc-queue.log.new" dev=dm-4 ino=297
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093897.333:102174): arch=c000003e syscall=82
success=yes exit=0 a0=660060 a1=7f9053b21b50 a2=6d5058 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093897.333:102174): avc: denied { rename } for
pid=539 comm="mlogc" name="mlogc-queue.log" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1401093897.333:102175): arch=c000003e syscall=87
success=yes exit=0 a0=7f9053b21b50 a1=6d5058 a2=0 a3=6e2e676f6c2e6575
items=0 ppid=306 pid=539 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=9378 comm="mlogc" exe="/usr/bin/mlogc"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1401093897.333:102175): avc: denied { unlink } for
pid=539 comm="mlogc" name="mlogc-queue.log.old" dev=dm-4 ino=268
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file
By analyzing the current selinux reference
policy selinux-policy-targeted-3.7.19-231.el6_5.1.noarch (RHEL 6.5 of
course) with sesearch
cat /tmp/sys_rw_t
Found 3 semantic av rules:
allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow httpd_t httpdcontent : file { ioctl read write create getattr
setattr lock append unlink link rename execute open } ;
Found 4 semantic av rules:
allow httpd_t httpd_sys_rw_content_t : dir { getattr search open } ;
allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
allow httpd_t httpd_sys_rw_content_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
allow httpd_t httpdcontent : dir { ioctl read write create getattr
setattr lock unlink link rename add_name remove_name reparent search rmdir
open } ;
[root at esil781 ~]# cat /tmp/log_t
Found 2 semantic av rules:
allow httpd_t httpd_log_t : file { ioctl read create getattr lock append
open } ;
allow daemon logfile : file { ioctl getattr lock append open } ;
Found 2 semantic av rules:
allow httpd_t httpd_log_t : dir { ioctl write create getattr setattr
lock add_name search open } ;
allow daemon logfile : dir { getattr search open } ;
the file context httpd_sys_rw_content_t seems the most right for
/var/log/mlogc.
Thanks and Best Regards
--
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140616/766ce374/attachment.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc
2014-06-10 15:22 [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc Elia Pinto
2014-06-11 14:13 ` Christopher J. PeBenito
@ 2014-06-17 12:24 ` Christopher J. PeBenito
1 sibling, 0 replies; 7+ messages in thread
From: Christopher J. PeBenito @ 2014-06-17 12:24 UTC (permalink / raw)
To: refpolicy
On 06/10/2014 11:22 AM, Elia Pinto wrote:
> Add the right labelling support for the
> ModSecurity Audit Log Collector(mlogc).
> mlogc is started by apache and run with the
> same selinux security context.
>
> Signed-off-by: Elia Pinto <andronicus.spiros@gmail.com>
> ---
> This is the second revision. httpd_log_t context was not
> sufficient for mlogc
>
> I'm sorry for the noice, eventually, but I'm not sure that the patch has arrived on the mailing list
> and so i send it back from another account for safety.
> apache.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/apache.fc b/apache.fc
> index 4e90b04..ec0c0fb 100644
> --- a/apache.fc
> +++ b/apache.fc
> @@ -125,6 +125,7 @@ ifdef(`distro_suse',`
> /var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc
@ 2014-06-09 12:00 Elia Pinto
0 siblings, 0 replies; 7+ messages in thread
From: Elia Pinto @ 2014-06-09 12:00 UTC (permalink / raw)
To: refpolicy
From: Elia Pinto <gitter.spiros@gmail.com>
Add the right labelling support for the
ModSecurity Audit Log Collector(mlogc).
mlogc is started by apache and run with the
same selinux security context.
Signed-off-by: Elia Pinto <gitter.spiros@gmail.com>
---
This is the second revision. httpd_log_t context was not
sufficient for mlogc
apache.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/apache.fc b/apache.fc
index 4e90b04..ec0c0fb 100644
--- a/apache.fc
+++ b/apache.fc
@@ -125,6 +125,7 @@ ifdef(`distro_suse',`
/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/mlogc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-06-17 12:24 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-10 15:22 [refpolicy] [PATCH v2] apache.te: Add labelling support for /var/log/mlogc Elia Pinto
2014-06-11 14:13 ` Christopher J. PeBenito
2014-06-11 14:55 ` Elia Pinto
2014-06-13 12:45 ` Christopher J. PeBenito
2014-06-16 17:12 ` Elia Pinto
2014-06-17 12:24 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2014-06-09 12:00 Elia Pinto
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.