Re: [mod-security-users] MLOGC - strange permission problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sun, 2010-04-04 at 19:01 +0200, Christian Bockermann wrote:
> Hi Arthur,
> 
> do you have SELinux enabled on your system? Judging by the wiki of the
> fedoraproject, SELinux is enabled by default. Thus there might be an
> additional permission-check being done by SELinux. Check /var/log/messages
> or /var/log/audit.log for a record/hint indicating that the permission
> was denied by SELinux.
> 
> Also, check the security context of /varlog/httpd/mlogc by using
> 
> 	ls -laZ /var/log/httpd/mlogc
> 
> This will result in something like:
> 
>    [root@waf ~]# ls -laZ /opt/modsecurity/var/audit
>    drwxr-xr-x  apache root   system_u:object_r:httpd_sys_content_t .
>    drwxr-xr-x  root   apache system_u:object_r:usr_t          ..
>    drwxr-x---  apache apache system_u:object_r:httpd_sys_content_t 20100227
> 
> 
> See my previous response to Michele, who ran into a similar problem:
> 
>     http://sourceforge.net/mailarchive/message.php?msg_name=B2679166-EFF2-49C3-A714-FB3C1DB408DD%40jwall.org
> 
> 
> Of course, your problem may not be related to SELinux, but you should
> check that.
> 
> Regards,
>     Chris
> 
> 
> 
> Am 04.04.2010 um 14:08 schrieb Arthur Dent:
> 
> > Hello all,
> > 
> > A couple of months ago I started using the mod-security console on my
> > Fedora 11 machine. Installation went OK, I found that mlogc was already
> > installed - I just needed to configure it. 
> > 
> > Everything has been going quite well and the console reports all alerts
> > as expected.
> > 
> > Today I decided to have a tidy-up. I had originally configured mlogc to
> > write to /var/log/mlogc/ (which is where it has been quietly working
> > ever since) but decided that it would be more logical to have it
> > reporting under /var/log/httpd/mlogc/.
> > 
> > I changed all the relevant references in /etc/mlogc.conf and restarted
> > apache (subsequently even tried rebooting) but now I get this error in
> > my modsec_debug.log:
> > 
> > [04/Apr/2010:12:53:34 +0100] [www.mydomain.com/sid#1734598][rid#b7661098][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1253 (Permission denied)
> > 
> > As far as I can tell the permissions are set identically in both the old
> > and the new directories:
> > 
> > # ll /var/log/mlogc/
> > total 612
> > drwxr-xr-x. 21 apache apache   4096 2010-04-04 11:34 data
> > -rw-r--r--.  1 root   root   612313 2010-04-04 11:43 mlogc-error.log
> > -rw-r--r--.  1 root   root       11 2010-04-04 11:43 mlogc-queue.log
> > -rw-r--r--.  1 root   root        0 2010-04-04 11:43 mlogc-transaction.log
> > 
> > # ll /var/log/httpd/mlogc/
> > total 12
> > drwxr-xr-x. 2 apache apache 4096 2010-04-04 11:36 data
> > -rw-r--r--. 1 apache apache 3634 2010-04-04 12:53 mlogc-error.log
> > -rw-r--r--. 1 apache apache   11 2010-04-04 11:52 mlogc-queue.log
> > -rw-r--r--. 1 apache apache    0 2010-04-04 11:52 mlogc-transaction.log
> > 
> > So what gives?
> > 
> > Why does it work in /var/log/ but not in /var/log/httpd/ ?
> > 

Hi Christian,

Thanks for this reply. I too had thought that selinux could be the
culprit, although I have it (at the moment) in permissive mode. I had
already tried changing the file context as you can see here:

ls -laZ /var/log/httpd/mlogc
drwxrwxr-x. apache apache system_u:object_r:httpd_log_t:s0 .
drwx------. root   root   system_u:object_r:httpd_log_t:s0 ..
drwxrwsr-x. apache apache system_u:object_r:httpd_log_t:s0 data
-rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-error.log
-rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-queue.log
-rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-transaction.log

Note that the (working) directory has no such contexts:

ls -laZ /var/log/mlogc
drwxr-xr-x. apache apache unconfined_u:object_r:var_log_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_log_t:s0   ..
drwxr-xr-x. apache apache unconfined_u:object_r:var_log_t:s0 data
-rw-r--r--. root   root   system_u:object_r:var_log_t:s0   mlogc-error.log
-rw-r--r--. root   root   unconfined_u:object_r:httpd_log_t:s0 mlogc-queue.log
-rw-r--r--. root   root   system_u:object_r:var_log_t:s0   mlogc-transaction.log

That gives selinux AVCs, but in permissive mode still works (I used
audit2allow to create a local policy to stop the AVCs, but left SEL in
permissive mode for the time being).

Having read your post to Michelle, I tried changing the context from
"httpd_log_t" to "httpd_sys_content_t" as you can see here:

# chcon -R -u system_u -r object_r -t httpd_sys_content_t /var/log/httpd/mlogc/
# ls -laZ /var/log/httpd/mlogc
drwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 .
drwx------. root   root   system_u:object_r:httpd_log_t:s0 ..
drwxrwsr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 data
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-error.log
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-queue.log
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-transaction.log

Unfortunately (after restarting HTTPD) this still made no difference...

[04/Apr/2010:18:45:40 +0100] [www.mydomain.com/sid#2459598][rid#388f980][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1845 (Permission denied)

I am now stumped!...

Any other ideas?

With grateful thanks...

Mark