Re: [mod-security-users] SecChrootDir and SELinux

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Jeff Tharp wrote:
> Hello, I'm working on building a reverse proxy configuration using
> ModSecurity-1.8.7 and Apache 2.0.54 on Red Hat Enterprise Linux v.4 ES.
> One of the items I would like to implement is to chroot Apache, and I'm
> running into some hassles with the default targeted SELinux policy
> (nothing like one security mechanism getting in the way of another).

   Assuming the Apache targeted policy was created without chroot
   in mind, do you think some of the problems you are experiencing
   are there because e.g. the paths are different?

> Jun 25 13:18:02 wyrmfire kernel: audit(1119730682.328:0): avc:  denied
> { write } for  pid=2324 comm=httpd name=modsec_chroot.lock dev=sda8
> ino=55751 scontext=root:system_r:httpd_t
> tcontext=root:object_r:httpd_log_t tclass=file
> Jun 25 13:18:02 wyrmfire httpd: httpd startup succeeded
> Jun 25 13:18:02 wyrmfire kernel: audit(1119730682.769:0): avc:  denied
> { unlink } for  pid=2325 comm=httpd name=modsec_chroot.lock dev=sda8
> ino=55751 scontext=root:system_r:httpd_t
> tcontext=root:object_r:httpd_log_t tclass=file

   By default, mod_security 1.8.x creates a temporary file,
   modsec_chroot.lock, in ${ServerRoot}/logs/. Could it be that your
   Apache configuration is such that this falls where it shouldn't?

   You can try using the SecChrootLock directive to explicitly tell
   mod_security where to put the lock file.

   FYI, I will probably remove the need to create the lock file in
   mod_security 1.9.x. If you want I can do it sooner rather than
   later.

   But we may still try to figure out the problem, and learn something
   about SELinux along the way ;)

> allow httpd_t httpd_log_t:file { unlink write };
 > ...
 > it
 > seems that Apache is being denied access to it's own log files, which
 > was probably done for a good reason ;-)  Before I go off ignore said

   Since unlink & write in the log folder are not allowed, what is
   allowed? How will Apache create the logs if the operation is not
   allowed? :)

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org