Re: [mod-security-users] MLOGC - strange permission problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Arthur,

do you have SELinux enabled on your system? Judging by the wiki of the
fedoraproject, SELinux is enabled by default. Thus there might be an
additional permission-check being done by SELinux. Check /var/log/messages
or /var/log/audit.log for a record/hint indicating that the permission
was denied by SELinux.

Also, check the security context of /varlog/httpd/mlogc by using

	ls -laZ /var/log/httpd/mlogc

This will result in something like:

   [root@waf ~]# ls -laZ /opt/modsecurity/var/audit
   drwxr-xr-x  apache root   system_u:object_r:httpd_sys_content_t .
   drwxr-xr-x  root   apache system_u:object_r:usr_t          ..
   drwxr-x---  apache apache system_u:object_r:httpd_sys_content_t 20100227

See my previous response to Michele, who ran into a similar problem:

    http://sourceforge.net/mailarchive/message.php?msg_name=B2679166-EFF2-49C3-A714-FB3C1DB408DD%40jwall.org

Of course, your problem may not be related to SELinux, but you should
check that.

Regards,
    Chris

Am 04.04.2010 um 14:08 schrieb Arthur Dent:

> Hello all,
> 
> A couple of months ago I started using the mod-security console on my
> Fedora 11 machine. Installation went OK, I found that mlogc was already
> installed - I just needed to configure it. 
> 
> Everything has been going quite well and the console reports all alerts
> as expected.
> 
> Today I decided to have a tidy-up. I had originally configured mlogc to
> write to /var/log/mlogc/ (which is where it has been quietly working
> ever since) but decided that it would be more logical to have it
> reporting under /var/log/httpd/mlogc/.
> 
> I changed all the relevant references in /etc/mlogc.conf and restarted
> apache (subsequently even tried rebooting) but now I get this error in
> my modsec_debug.log:
> 
> [04/Apr/2010:12:53:34 +0100] [www.mydomain.com/sid#1734598][rid#b7661098][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1253 (Permission denied)
> 
> As far as I can tell the permissions are set identically in both the old
> and the new directories:
> 
> # ll /var/log/mlogc/
> total 612
> drwxr-xr-x. 21 apache apache   4096 2010-04-04 11:34 data
> -rw-r--r--.  1 root   root   612313 2010-04-04 11:43 mlogc-error.log
> -rw-r--r--.  1 root   root       11 2010-04-04 11:43 mlogc-queue.log
> -rw-r--r--.  1 root   root        0 2010-04-04 11:43 mlogc-transaction.log
> 
> # ll /var/log/httpd/mlogc/
> total 12
> drwxr-xr-x. 2 apache apache 4096 2010-04-04 11:36 data
> -rw-r--r--. 1 apache apache 3634 2010-04-04 12:53 mlogc-error.log
> -rw-r--r--. 1 apache apache   11 2010-04-04 11:52 mlogc-queue.log
> -rw-r--r--. 1 apache apache    0 2010-04-04 11:52 mlogc-transaction.log
> 
> So what gives?
> 
> Why does it work in /var/log/ but not in /var/log/httpd/ ?
> 
> Thanks in advance...
> 
> Mark
> 
> 
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev_______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html