Re: [mod-security-users] MLOGC - strange permission problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Arthur Dent wrote:
> On Mon, 2010-04-05 at 08:44 +0200, Christian Bockermann wrote:
>> Hi Arthur,
> 
> Hi Chris,
> 
>> just a few things to try/assure:
> 
> This was really helpful advice thank you...
> 
>>  1) Is /var/log/httpd/data empty? If it already contains the directory "20100404" 
>>     with wrong permission, then this might be a problem.
>>     (I know, this is rather obvious, just trying to exclude all errors)
> 
> Yup, completely, frustratingly, maddeningly empty...
> 
>>  2) Did you check /var/log/messages and /var/log/audit.log for SELinux messages?
>>     Just to make sure, SELinux is not the problem.
> 
> Yes I did. There are some SEL messages (see below [1]) but none that
> relate to this problem. I have a local policy in place too [2].
> 
>>  3) Try o disable SELinux completely, or at least for Apache and check again. If
>>     this works, then we know at least it's SELinux which causes the problems and
>>     we can investigate further.
> 
> Well SEL is in permissive mode at the moment. I have thought of trying
> to disable it, but this is a server and I would have to reboot + relabel
> afterwards. Might be worth trying, but at the moment it's a last
> resort...
> 
>>  4) If you su to apache, can you create the directory?
> 
> This was a good idea - but I had already tried it. Unfortunately I get
> the message "This account is currently not available." when I try to "su
> - apache" from root. I guess this is because apache is not a user
> account. Is there any other way of testing this? A script perhaps?

su - apache -c "mkdir -p /var/log/httpd/mlogc/data/20100405/20100405-0000"

or

sudo -u apache "mkdir -p /var/log/httpd/mlogc/data/20100405/20100405-0000"

Then make sure you can also create a file:

touch
/var/log/httpd/mlogc/data/20100405/20100405-0000/20100405-0000-S3SB8X8AAQEAAAOkHIAAAAAC

Note also that ModSecurity (the apache user) needs list (read) access to
all the directories up to the data dir as it checks to see if each node
in the dir path exists and/or needs created.  This often gets people
that have /var/log/httpd set to 0750 or similar, but may also require
extra SEL config (I don't know much about SEL configs).

-B

> 
> 
>> Before going to deeper into SELinux, we need to make sure it is the root of your
>> errors :-)
> 
> Yes I'm still inclined to agree with you that it has something to do
> with SEL, especially as it works in /var/log/ but not in var/log/httpd/.
> 
> However, given that it does work in /var/log/ should I give up at this
> point and leave it there?
> 
> Am I flogging a dead horse here?
> 
> Thanks very much for your help so far. Much appreciated...
> 
> Mark
> 
> p.s.
> 
> [1] The SEL AVCs I am still getting that I have not yet incorporated
> into my local policy [2] are related to mlogc's access to the /var/run/
> pub and pid files. Note that the access was allowed (permissive mode
> remember).
> 
> I am still undecided as to whether to take the advice given about
> relabelling or to add these to my policy. What do you think?
> 
> a)
> SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
> 
> Detailed Description:
> 
> [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
> 
> SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> 
> Allowing Access:
> 
> If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'.
> 
> b)
> SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
> 
> Detailed Description:
> 
> [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
> 
> SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
> 
> Allowing Access:
> 
> If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'. 
> 
> 
> [2]
> # cat /root/selinux/mymlogc.te
> module mymlogc 11.1.1;
> 
> require {
> 	type var_log_t;
> 	type httpd_log_t;
> 	type httpd_t;
> 	class dir create;
> 	class file { write rename unlink };
> }
> 
> #============= httpd_t ==============
> allow httpd_t httpd_log_t:file { write rename unlink };
> allow httpd_t var_log_t:dir create;
> allow httpd_t var_log_t:file write;
> 

-- 
Brian Rectanus
Breach Security