Re: [mod-security-users] MLOGC - strange permission problem
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] MLOGC - strange permission problem
|
From: Arthur D. <mis...@bl...> - 2010-04-05 08:23:39
|
On Mon, 2010-04-05 at 08:44 +0200, Christian Bockermann wrote:
> Hi Arthur,
Hi Chris,
> just a few things to try/assure:
This was really helpful advice thank you...
> 1) Is /var/log/httpd/data empty? If it already contains the directory "20100404"
> with wrong permission, then this might be a problem.
> (I know, this is rather obvious, just trying to exclude all errors)
Yup, completely, frustratingly, maddeningly empty...
> 2) Did you check /var/log/messages and /var/log/audit.log for SELinux messages?
> Just to make sure, SELinux is not the problem.
Yes I did. There are some SEL messages (see below [1]) but none that
relate to this problem. I have a local policy in place too [2].
>
> 3) Try o disable SELinux completely, or at least for Apache and check again. If
> this works, then we know at least it's SELinux which causes the problems and
> we can investigate further.
Well SEL is in permissive mode at the moment. I have thought of trying
to disable it, but this is a server and I would have to reboot + relabel
afterwards. Might be worth trying, but at the moment it's a last
resort...
> 4) If you su to apache, can you create the directory?
This was a good idea - but I had already tried it. Unfortunately I get
the message "This account is currently not available." when I try to "su
- apache" from root. I guess this is because apache is not a user
account. Is there any other way of testing this? A script perhaps?
> Before going to deeper into SELinux, we need to make sure it is the root of your
> errors :-)
Yes I'm still inclined to agree with you that it has something to do
with SEL, especially as it works in /var/log/ but not in var/log/httpd/.
However, given that it does work in /var/log/ should I give up at this
point and leave it there?
Am I flogging a dead horse here?
Thanks very much for your help so far. Much appreciated...
Mark
p.s.
[1] The SEL AVCs I am still getting that I have not yet incorporated
into my local policy [2] are related to mlogc's access to the /var/run/
pub and pid files. Note that the access was allowed (permissive mode
remember).
I am still undecided as to whether to take the advice given about
relabelling or to add these to my policy. What do you think?
a)
SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'.
b)
SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'.
[2]
# cat /root/selinux/mymlogc.te
module mymlogc 11.1.1;
require {
type var_log_t;
type httpd_log_t;
type httpd_t;
class dir create;
class file { write rename unlink };
}
#============= httpd_t ==============
allow httpd_t httpd_log_t:file { write rename unlink };
allow httpd_t var_log_t:dir create;
allow httpd_t var_log_t:file write;
|
