Thread: [mod-security-users] MLOGC - strange permission problem
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Arthur D. <mis...@bl...> - 2010-04-04 12:08:11
|
Hello all, A couple of months ago I started using the mod-security console on my Fedora 11 machine. Installation went OK, I found that mlogc was already installed - I just needed to configure it. Everything has been going quite well and the console reports all alerts as expected. Today I decided to have a tidy-up. I had originally configured mlogc to write to /var/log/mlogc/ (which is where it has been quietly working ever since) but decided that it would be more logical to have it reporting under /var/log/httpd/mlogc/. I changed all the relevant references in /etc/mlogc.conf and restarted apache (subsequently even tried rebooting) but now I get this error in my modsec_debug.log: [04/Apr/2010:12:53:34 +0100] [www.mydomain.com/sid#1734598][rid#b7661098][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1253 (Permission denied) As far as I can tell the permissions are set identically in both the old and the new directories: # ll /var/log/mlogc/ total 612 drwxr-xr-x. 21 apache apache 4096 2010-04-04 11:34 data -rw-r--r--. 1 root root 612313 2010-04-04 11:43 mlogc-error.log -rw-r--r--. 1 root root 11 2010-04-04 11:43 mlogc-queue.log -rw-r--r--. 1 root root 0 2010-04-04 11:43 mlogc-transaction.log # ll /var/log/httpd/mlogc/ total 12 drwxr-xr-x. 2 apache apache 4096 2010-04-04 11:36 data -rw-r--r--. 1 apache apache 3634 2010-04-04 12:53 mlogc-error.log -rw-r--r--. 1 apache apache 11 2010-04-04 11:52 mlogc-queue.log -rw-r--r--. 1 apache apache 0 2010-04-04 11:52 mlogc-transaction.log So what gives? Why does it work in /var/log/ but not in /var/log/httpd/ ? Thanks in advance... Mark |
|
From: Christian B. <ch...@jw...> - 2010-04-04 17:01:17
|
Hi Arthur,
do you have SELinux enabled on your system? Judging by the wiki of the
fedoraproject, SELinux is enabled by default. Thus there might be an
additional permission-check being done by SELinux. Check /var/log/messages
or /var/log/audit.log for a record/hint indicating that the permission
was denied by SELinux.
Also, check the security context of /varlog/httpd/mlogc by using
ls -laZ /var/log/httpd/mlogc
This will result in something like:
[root@waf ~]# ls -laZ /opt/modsecurity/var/audit
drwxr-xr-x apache root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root apache system_u:object_r:usr_t ..
drwxr-x--- apache apache system_u:object_r:httpd_sys_content_t 20100227
See my previous response to Michele, who ran into a similar problem:
http://sourceforge.net/mailarchive/message.php?msg_name=B2679166-EFF2-49C3-A714-FB3C1DB408DD%40jwall.org
Of course, your problem may not be related to SELinux, but you should
check that.
Regards,
Chris
Am 04.04.2010 um 14:08 schrieb Arthur Dent:
> Hello all,
>
> A couple of months ago I started using the mod-security console on my
> Fedora 11 machine. Installation went OK, I found that mlogc was already
> installed - I just needed to configure it.
>
> Everything has been going quite well and the console reports all alerts
> as expected.
>
> Today I decided to have a tidy-up. I had originally configured mlogc to
> write to /var/log/mlogc/ (which is where it has been quietly working
> ever since) but decided that it would be more logical to have it
> reporting under /var/log/httpd/mlogc/.
>
> I changed all the relevant references in /etc/mlogc.conf and restarted
> apache (subsequently even tried rebooting) but now I get this error in
> my modsec_debug.log:
>
> [04/Apr/2010:12:53:34 +0100] [www.mydomain.com/sid#1734598][rid#b7661098][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1253 (Permission denied)
>
> As far as I can tell the permissions are set identically in both the old
> and the new directories:
>
> # ll /var/log/mlogc/
> total 612
> drwxr-xr-x. 21 apache apache 4096 2010-04-04 11:34 data
> -rw-r--r--. 1 root root 612313 2010-04-04 11:43 mlogc-error.log
> -rw-r--r--. 1 root root 11 2010-04-04 11:43 mlogc-queue.log
> -rw-r--r--. 1 root root 0 2010-04-04 11:43 mlogc-transaction.log
>
> # ll /var/log/httpd/mlogc/
> total 12
> drwxr-xr-x. 2 apache apache 4096 2010-04-04 11:36 data
> -rw-r--r--. 1 apache apache 3634 2010-04-04 12:53 mlogc-error.log
> -rw-r--r--. 1 apache apache 11 2010-04-04 11:52 mlogc-queue.log
> -rw-r--r--. 1 apache apache 0 2010-04-04 11:52 mlogc-transaction.log
>
> So what gives?
>
> Why does it work in /var/log/ but not in /var/log/httpd/ ?
>
> Thanks in advance...
>
> Mark
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev_______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
|
|
From: Arthur D. <mis...@bl...> - 2010-04-04 18:05:21
|
On Sun, 2010-04-04 at 19:01 +0200, Christian Bockermann wrote: > Hi Arthur, > > do you have SELinux enabled on your system? Judging by the wiki of the > fedoraproject, SELinux is enabled by default. Thus there might be an > additional permission-check being done by SELinux. Check /var/log/messages > or /var/log/audit.log for a record/hint indicating that the permission > was denied by SELinux. > > Also, check the security context of /varlog/httpd/mlogc by using > > ls -laZ /var/log/httpd/mlogc > > This will result in something like: > > [root@waf ~]# ls -laZ /opt/modsecurity/var/audit > drwxr-xr-x apache root system_u:object_r:httpd_sys_content_t . > drwxr-xr-x root apache system_u:object_r:usr_t .. > drwxr-x--- apache apache system_u:object_r:httpd_sys_content_t 20100227 > > > See my previous response to Michele, who ran into a similar problem: > > http://sourceforge.net/mailarchive/message.php?msg_name=B2679166-EFF2-49C3-A714-FB3C1DB408DD%40jwall.org > > > Of course, your problem may not be related to SELinux, but you should > check that. > > Regards, > Chris > > > > Am 04.04.2010 um 14:08 schrieb Arthur Dent: > > > Hello all, > > > > A couple of months ago I started using the mod-security console on my > > Fedora 11 machine. Installation went OK, I found that mlogc was already > > installed - I just needed to configure it. > > > > Everything has been going quite well and the console reports all alerts > > as expected. > > > > Today I decided to have a tidy-up. I had originally configured mlogc to > > write to /var/log/mlogc/ (which is where it has been quietly working > > ever since) but decided that it would be more logical to have it > > reporting under /var/log/httpd/mlogc/. > > > > I changed all the relevant references in /etc/mlogc.conf and restarted > > apache (subsequently even tried rebooting) but now I get this error in > > my modsec_debug.log: > > > > [04/Apr/2010:12:53:34 +0100] [www.mydomain.com/sid#1734598][rid#b7661098][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1253 (Permission denied) > > > > As far as I can tell the permissions are set identically in both the old > > and the new directories: > > > > # ll /var/log/mlogc/ > > total 612 > > drwxr-xr-x. 21 apache apache 4096 2010-04-04 11:34 data > > -rw-r--r--. 1 root root 612313 2010-04-04 11:43 mlogc-error.log > > -rw-r--r--. 1 root root 11 2010-04-04 11:43 mlogc-queue.log > > -rw-r--r--. 1 root root 0 2010-04-04 11:43 mlogc-transaction.log > > > > # ll /var/log/httpd/mlogc/ > > total 12 > > drwxr-xr-x. 2 apache apache 4096 2010-04-04 11:36 data > > -rw-r--r--. 1 apache apache 3634 2010-04-04 12:53 mlogc-error.log > > -rw-r--r--. 1 apache apache 11 2010-04-04 11:52 mlogc-queue.log > > -rw-r--r--. 1 apache apache 0 2010-04-04 11:52 mlogc-transaction.log > > > > So what gives? > > > > Why does it work in /var/log/ but not in /var/log/httpd/ ? > > Hi Christian, Thanks for this reply. I too had thought that selinux could be the culprit, although I have it (at the moment) in permissive mode. I had already tried changing the file context as you can see here: ls -laZ /var/log/httpd/mlogc drwxrwxr-x. apache apache system_u:object_r:httpd_log_t:s0 . drwx------. root root system_u:object_r:httpd_log_t:s0 .. drwxrwsr-x. apache apache system_u:object_r:httpd_log_t:s0 data -rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-error.log -rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-queue.log -rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-transaction.log Note that the (working) directory has no such contexts: ls -laZ /var/log/mlogc drwxr-xr-x. apache apache unconfined_u:object_r:var_log_t:s0 . drwxr-xr-x. root root system_u:object_r:var_log_t:s0 .. drwxr-xr-x. apache apache unconfined_u:object_r:var_log_t:s0 data -rw-r--r--. root root system_u:object_r:var_log_t:s0 mlogc-error.log -rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 mlogc-queue.log -rw-r--r--. root root system_u:object_r:var_log_t:s0 mlogc-transaction.log That gives selinux AVCs, but in permissive mode still works (I used audit2allow to create a local policy to stop the AVCs, but left SEL in permissive mode for the time being). Having read your post to Michelle, I tried changing the context from "httpd_log_t" to "httpd_sys_content_t" as you can see here: # chcon -R -u system_u -r object_r -t httpd_sys_content_t /var/log/httpd/mlogc/ # ls -laZ /var/log/httpd/mlogc drwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 . drwx------. root root system_u:object_r:httpd_log_t:s0 .. drwxrwsr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 data -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-error.log -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-queue.log -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-transaction.log Unfortunately (after restarting HTTPD) this still made no difference... [04/Apr/2010:18:45:40 +0100] [www.mydomain.com/sid#2459598][rid#388f980][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1845 (Permission denied) I am now stumped!... Any other ideas? With grateful thanks... Mark |
|
From: Christian B. <ch...@jw...> - 2010-04-05 06:44:46
|
Hi Arthur,
just a few things to try/assure:
1) Is /var/log/httpd/data empty? If it already contains the directory "20100404"
with wrong permission, then this might be a problem.
(I know, this is rather obvious, just trying to exclude all errors)
2) Did you check /var/log/messages and /var/log/audit.log for SELinux messages?
Just to make sure, SELinux is not the problem.
3) Try o disable SELinux completely, or at least for Apache and check again. If
this works, then we know at least it's SELinux which causes the problems and
we can investigate further.
4) If you su to apache, can you create the directory?
Before going to deeper into SELinux, we need to make sure it is the root of your
errors :-)
Regards,
Chris
Am 04.04.2010 um 20:05 schrieb Arthur Dent:
> Hi Christian,
>
> Thanks for this reply. I too had thought that selinux could be the
> culprit, although I have it (at the moment) in permissive mode. I had
> already tried changing the file context as you can see here:
>
> ls -laZ /var/log/httpd/mlogc
> drwxrwxr-x. apache apache system_u:object_r:httpd_log_t:s0 .
> drwx------. root root system_u:object_r:httpd_log_t:s0 ..
> drwxrwsr-x. apache apache system_u:object_r:httpd_log_t:s0 data
> -rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-error.log
> -rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-queue.log
> -rw-r--r--. apache apache system_u:object_r:httpd_log_t:s0 mlogc-transaction.log
>
> Note that the (working) directory has no such contexts:
>
> ls -laZ /var/log/mlogc
> drwxr-xr-x. apache apache unconfined_u:object_r:var_log_t:s0 .
> drwxr-xr-x. root root system_u:object_r:var_log_t:s0 ..
> drwxr-xr-x. apache apache unconfined_u:object_r:var_log_t:s0 data
> -rw-r--r--. root root system_u:object_r:var_log_t:s0 mlogc-error.log
> -rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 mlogc-queue.log
> -rw-r--r--. root root system_u:object_r:var_log_t:s0 mlogc-transaction.log
>
> That gives selinux AVCs, but in permissive mode still works (I used
> audit2allow to create a local policy to stop the AVCs, but left SEL in
> permissive mode for the time being).
>
> Having read your post to Michelle, I tried changing the context from
> "httpd_log_t" to "httpd_sys_content_t" as you can see here:
>
> # chcon -R -u system_u -r object_r -t httpd_sys_content_t /var/log/httpd/mlogc/
> # ls -laZ /var/log/httpd/mlogc
> drwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 .
> drwx------. root root system_u:object_r:httpd_log_t:s0 ..
> drwxrwsr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 data
> -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-error.log
> -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-queue.log
> -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 mlogc-transaction.log
>
> Unfortunately (after restarting HTTPD) this still made no difference...
>
> [04/Apr/2010:18:45:40 +0100] [www.mydomain.com/sid#2459598][rid#388f980][/secret.html][1] Audit log: Failed to create subdirectories: /var/log/httpd/mlogc/data/20100404/20100404-1845 (Permission denied)
>
>
> I am now stumped!...
>
> Any other ideas?
>
> With grateful thanks...
>
> Mark
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev_______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
|
|
From: Arthur D. <mis...@bl...> - 2010-04-05 08:23:39
|
On Mon, 2010-04-05 at 08:44 +0200, Christian Bockermann wrote:
> Hi Arthur,
Hi Chris,
> just a few things to try/assure:
This was really helpful advice thank you...
> 1) Is /var/log/httpd/data empty? If it already contains the directory "20100404"
> with wrong permission, then this might be a problem.
> (I know, this is rather obvious, just trying to exclude all errors)
Yup, completely, frustratingly, maddeningly empty...
> 2) Did you check /var/log/messages and /var/log/audit.log for SELinux messages?
> Just to make sure, SELinux is not the problem.
Yes I did. There are some SEL messages (see below [1]) but none that
relate to this problem. I have a local policy in place too [2].
>
> 3) Try o disable SELinux completely, or at least for Apache and check again. If
> this works, then we know at least it's SELinux which causes the problems and
> we can investigate further.
Well SEL is in permissive mode at the moment. I have thought of trying
to disable it, but this is a server and I would have to reboot + relabel
afterwards. Might be worth trying, but at the moment it's a last
resort...
> 4) If you su to apache, can you create the directory?
This was a good idea - but I had already tried it. Unfortunately I get
the message "This account is currently not available." when I try to "su
- apache" from root. I guess this is because apache is not a user
account. Is there any other way of testing this? A script perhaps?
> Before going to deeper into SELinux, we need to make sure it is the root of your
> errors :-)
Yes I'm still inclined to agree with you that it has something to do
with SEL, especially as it works in /var/log/ but not in var/log/httpd/.
However, given that it does work in /var/log/ should I give up at this
point and leave it there?
Am I flogging a dead horse here?
Thanks very much for your help so far. Much appreciated...
Mark
p.s.
[1] The SEL AVCs I am still getting that I have not yet incorporated
into my local policy [2] are related to mlogc's access to the /var/run/
pub and pid files. Note that the access was allowed (permissive mode
remember).
I am still undecided as to whether to take the advice given about
relabelling or to add these to my policy. What do you think?
a)
SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'.
b)
SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'.
[2]
# cat /root/selinux/mymlogc.te
module mymlogc 11.1.1;
require {
type var_log_t;
type httpd_log_t;
type httpd_t;
class dir create;
class file { write rename unlink };
}
#============= httpd_t ==============
allow httpd_t httpd_log_t:file { write rename unlink };
allow httpd_t var_log_t:dir create;
allow httpd_t var_log_t:file write;
|
|
From: Brian R. <Bri...@br...> - 2010-04-05 17:19:11
|
Arthur Dent wrote:
> On Mon, 2010-04-05 at 08:44 +0200, Christian Bockermann wrote:
>> Hi Arthur,
>
> Hi Chris,
>
>> just a few things to try/assure:
>
> This was really helpful advice thank you...
>
>> 1) Is /var/log/httpd/data empty? If it already contains the directory "20100404"
>> with wrong permission, then this might be a problem.
>> (I know, this is rather obvious, just trying to exclude all errors)
>
> Yup, completely, frustratingly, maddeningly empty...
>
>> 2) Did you check /var/log/messages and /var/log/audit.log for SELinux messages?
>> Just to make sure, SELinux is not the problem.
>
> Yes I did. There are some SEL messages (see below [1]) but none that
> relate to this problem. I have a local policy in place too [2].
>
>> 3) Try o disable SELinux completely, or at least for Apache and check again. If
>> this works, then we know at least it's SELinux which causes the problems and
>> we can investigate further.
>
> Well SEL is in permissive mode at the moment. I have thought of trying
> to disable it, but this is a server and I would have to reboot + relabel
> afterwards. Might be worth trying, but at the moment it's a last
> resort...
>
>> 4) If you su to apache, can you create the directory?
>
> This was a good idea - but I had already tried it. Unfortunately I get
> the message "This account is currently not available." when I try to "su
> - apache" from root. I guess this is because apache is not a user
> account. Is there any other way of testing this? A script perhaps?
su - apache -c "mkdir -p /var/log/httpd/mlogc/data/20100405/20100405-0000"
or
sudo -u apache "mkdir -p /var/log/httpd/mlogc/data/20100405/20100405-0000"
Then make sure you can also create a file:
touch
/var/log/httpd/mlogc/data/20100405/20100405-0000/20100405-0000-S3SB8X8AAQEAAAOkHIAAAAAC
Note also that ModSecurity (the apache user) needs list (read) access to
all the directories up to the data dir as it checks to see if each node
in the dir path exists and/or needs created. This often gets people
that have /var/log/httpd set to 0750 or similar, but may also require
extra SEL config (I don't know much about SEL configs).
-B
>
>
>> Before going to deeper into SELinux, we need to make sure it is the root of your
>> errors :-)
>
> Yes I'm still inclined to agree with you that it has something to do
> with SEL, especially as it works in /var/log/ but not in var/log/httpd/.
>
> However, given that it does work in /var/log/ should I give up at this
> point and leave it there?
>
> Am I flogging a dead horse here?
>
> Thanks very much for your help so far. Much appreciated...
>
> Mark
>
> p.s.
>
> [1] The SEL AVCs I am still getting that I have not yet incorporated
> into my local policy [2] are related to mlogc's access to the /var/run/
> pub and pid files. Note that the access was allowed (permissive mode
> remember).
>
> I am still undecided as to whether to take the advice given about
> relabelling or to add these to my policy. What do you think?
>
> a)
> SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
>
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
>
> SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
>
> Allowing Access:
>
> If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'.
>
> b)
> SELinux is preventing the mlogc from using potentially mislabeled files /var/run/pcscd.pid (pcscd_var_run_t).
>
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
>
> SELinux has denied the mlogc access to potentially mislabeled files /var/run/pcscd.pid. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
>
> Allowing Access:
>
> If you want to change the file context of /var/run/pcscd.pid so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/run/pcscd.pid'.
>
>
> [2]
> # cat /root/selinux/mymlogc.te
> module mymlogc 11.1.1;
>
> require {
> type var_log_t;
> type httpd_log_t;
> type httpd_t;
> class dir create;
> class file { write rename unlink };
> }
>
> #============= httpd_t ==============
> allow httpd_t httpd_log_t:file { write rename unlink };
> allow httpd_t var_log_t:dir create;
> allow httpd_t var_log_t:file write;
>
--
Brian Rectanus
Breach Security
|
