Re: [mod-security-users] Two SELinux issues with RHEL 5.2 and MLOGC 2.5.4
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2008-09-23 15:59:27
|
Ray wrote: > On a new install of MLOGC on RHEL 5.2 with SELinux set to Enforcing, I got > these log entries. I temporarily set it to Permissive to troubleshoot it. I > don't know if these can get fixed within MLOGC itself so I don't have to > modify the SELinux policy, so I thought I'd ask. It looks like the first one > is caused by the creation of the individual folders for each day something > is logged. The second one looks like a behavioral issue with MLOGC. :-) > MLOGC was statically linked because I didn't want to install several more > packages just for its use. > > Ray > > Sep 19 19:57:37 <host name> setroubleshoot: SELinux prevented httpd reading > and writing access to http files. For complete SELinux messages. run > sealert -l e9d39750-4e5f-4901-8995-e09de906febf > > > > [root@<host name> logs]# sealert -l e9d39750-4e5f-4901-8995-e09de906febf > > > > Summary: > > > > SELinux prevented httpd reading and writing access to http files. > > > > Detailed Description: > > > > [SELinux is in permissive mode, the operation would have been denied but was > permitted due to permissive mode.] > > > > SELinux prevented httpd reading and writing access to http files. Ordinarily > httpd is allowed full access to all files labeled with http file context. > This machine has a tightened security policy with the httpd_unified turned > off, this requires explicit labeling of all files. If a file is a cgi script > it needs to be labeled with httpd_TYPE_script_exec_t in order to be > executed. If it is read-only content, it needs to be labeled > httpd_TYPE_content_t, it is writable content. it needs to be labeled > httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon > command to change these contexts. > > > > Please refer to the man page "man httpd_selinux" or FAQ > (http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one of > "sys", "user" or "staff" or potentially other script types. > > > > Allowing Access: > > > > Changing the "httpd_unified" boolean to true will allow this access: > "setsebool -P httpd_unified=1" > > > > The following command will allow this access: > > > > setsebool -P httpd_unified=1 > > > > Additional Information: > > > > Source Context user_u:system_r:httpd_t > > Target Context user_u:object_r:httpd_log_t > > Target Objects ./20080919 [ dir ] > > Source httpd > > Source Path /usr/sbin/httpd > > Port <Unknown> > > Host <host name> > > Source RPM Packages httpd-2.2.3-11.el5_1.3 > > Target RPM Packages > > Policy RPM selinux-policy-2.4.6-137.1.el5_2 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Permissive > > Plugin Name httpd_unified > > Host Name <host name> > > Platform Linux <host name> > > 2.6.18-92.1.6.el5 #1 SMP Fri Jun 20 02:36:16 > EDT > > 2008 i686 i686 > > Alert Count 3 > > First Seen Fri Sep 19 19:56:17 2008 > > Last Seen Fri Sep 19 19:59:12 2008 > > Local ID e9d39750-4e5f-4901-8995-e09de906febf > > Line Numbers > > > > Raw Audit Messages > > > > host=<host name> type=AVC msg=audit(1221868752.440:13561): avc: denied { > create } for pid=4483 comm="httpd" name="20080919" > scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 > tclass=dir > > > > host=<host name> type=SYSCALL msg=audit(1221868752.440:13561): arch=40000003 > syscall=39 success=yes exit=0 a0=97088c0 a1=1e8 a2=aca1e8 a3=97088c0 items=0 > ppid=4477 pid=4483 auid=1007 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 > sgid=48 fsgid=48 tty=(none) ses=2166 comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:httpd_t:s0 key=(null) > Looks like you have to create a custom policy to allow creation of subdirectories. 1) Make sure the data directory is marked with httpd_log_t (via chcon) which it seems to be 2) Allow subdirs to be created via a local policy. Something like this: allow httpd_t httpd_log_t:dir create; > Sep 19 19:57:37 <host name> setroubleshoot: SELinux is preventing mlogc > (httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux messages. > run sealert -l 3c2dd20b-d5af-46dd-a16d-dad0abf4ce7e > > > > Summary: > > > > SELinux is preventing mlogc (httpd_t) "execmem" to <Unknown> (httpd_t). > > > > Detailed Description: > > > > [SELinux is in permissive mode, the operation would have been denied but was > permitted due to permissive mode.] > > > > SELinux denied access requested by mlogc. It is not expected that this > access is required by mlogc and this access may signal an intrusion attempt. > It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > > > Allowing Access: > > > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > > > Additional Information: > > > > Source Context user_u:system_r:httpd_t > > Target Context user_u:system_r:httpd_t > > Target Objects None [ process ] > > Source mlogc > > Source Path /usr/local/bin/mlogc > > Port <Unknown> > > Host <host name> > > Source RPM Packages > > Target RPM Packages > > Policy RPM selinux-policy-2.4.6-137.1.el5_2 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Permissive > > Plugin Name catchall > > Host Name <host name> > > Platform Linux <host name> > > 2.6.18-92.1.6.el5 #1 SMP Fri Jun 20 02:36:16 > EDT > > 2008 i686 i686 > > Alert Count 233 > > First Seen Fri Sep 19 15:52:39 2008 > > Last Seen Fri Sep 19 19:59:05 2008 > > Local ID 3c2dd20b-d5af-46dd-a16d-dad0abf4ce7e > > Line Numbers > > > > Raw Audit Messages > > > > host=<host name> type=AVC msg=audit(1221868745.350:13560): avc: denied { > execmem } for pid=4715 comm="mlogc" scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:system_r:httpd_t:s0 tclass=process > > > > host=<host name> type=SYSCALL msg=audit(1221868745.350:13560): arch=40000003 > syscall=192 per=400000 success=yes exit=15605760 a0=0 a1=a01000 a2=7 a3=22 > items=0 ppid=4477 pid=4715 auid=1007 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=2166 comm="mlogc" > exe="/usr/local/bin/mlogc" subj=user_u:system_r:httpd_t:s0 key=(null) This is seems to be complaining that mlogc opened up memory for both execution and write at the same time. I don't see where it would do this, but shared libs are opened read/exec, then protections cleared, then opened read/write (not sure why, though). For example, this is what it does loading the apr lib on my system: open("/usr/lib/libapr-1.so.0", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\276"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=169312, ...}) = 0 mmap(NULL, 2264760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f2b62cff000 mprotect(0x7f2b62d27000, 2097152, PROT_NONE) = 0 mmap(0x7f2b62f27000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7f2b62f27000 close(3) = 0 It seems that second mmap call enables PROT_WRITE, but only after clearing it via mprotect with PROT_NONE, so there should not be both PROT_EXEC and PROT_WRITE set, which this SELinus log indicats. It is not mlogc that is doing it, though, but the library loader. Run mlogc through strace and that may shed some light on it. Something like this will give results in /tmp/mlogc.strace: SecAuditLog "|/usr/bin/strace -o/tmp/mlogc.strace /path/to/mlogc /path/to/mlogc.conf" Send me the mlogc trace privatly, or create a tracker issue: https://www.modsecurity.org/tracker/ thanks, -B -- Brian Rectanus Breach Security |