Mod_Security & SELinux Error

[Amin Taheri]

Hey everyone,

Could use some advice on this one.

I've been seeing things like this in the error logs for some domains, this one happens with a php page as well as an image/gif for the same URI / vHost.

[Fri Aug 03 09:49:05 2007] [error] [client 63.229.62.13] ModSecurity: Failed to access DBM file "/tmp/resource": Permission denied [hostname "xxx.xxx.xxx"] [uri "/somefile.php"] [unique_id "VktVbgoHAlYAACiwdcoAAAAB"] 

[Fri Aug 03 09:47:59 2007] [error] [client 63.229.62.13] ModSecurity: Failed to access DBM file "/tmp/resource": Permission denied [hostname "xxx.xxx.xxx"] [uri "/images/pl-icon.gif"] [unique_id "Ul0PYwoHAlYAACi2fJwAAAAH"]

Ive also seen things like this in the messages log (hundreds of times per day)

kernel: audit(1186383597.339:59647): avc:  denied  { read } for  pid=21851 comm="httpd" name="resource.dir" dev=dm-0 ino=14270486 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=file

kernel: audit(1186413106.133:68435): avc:  denied  { read write } for  pid=5543 comm="httpd" name="resource.dir" dev=dm-0 ino=14270486 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=file

$ls -laZ /tmp/resource*
-rw-r-----  apache   apache                                    /tmp/resource.dir
-rw-r-----  apache   apache   root:object_r:tmp_t              /tmp/resource.pag

$lsattr /tmp/resource*
------------- /tmp/resource.dir
------------- /tmp/resource.pag

$cat /etc/fstab | grep /tmp
dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

$cat /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

$/usr/sbin/getenforce
Enforcing

Now im not a mod sec or seLinux expert, so any guidance/advice would be appreciated.

 

[lvalics]

did you find a solution to this?

 

[Amin Taheri]

yeah, we made several system changes including ditching that version of mod sec for a different one, upgrading apache to a newer build (still in the 2.0 family) as well as several other system tweaks.

if you just want to modify SELinux then you can do this to solve the problem.

echo "allow httpd_t file_t:file { read write };" >> /etc/selinux/targeted/src/policy/domains/program/apache.te
make -C /etc/selinux/targeted/src/policy reload

 

[Hubbitus]

HostingGuy, very thank you for info, but what system youa are use?
On my Fedora system I have not this path:

# echo "allow httpd_t file_t:file { read write };" >> /etc/selinux/targeted/src/policy/domains/program/apache.te
bash: /etc/selinux/targeted/src/policy/domains/program/apache.te: No such file or directory

 

[Amin Taheri]

I was using RHEL/centos 4 - having that file requires you have the selinux-policy-targeted-sources rpm installed.

 

[Hubbitus]

I was using RHEL/centos 4 - having that file requires you have the selinux-policy-targeted-sources rpm installed.

Not all just so simple. selinux-policy-targeted-sources is very old package, seems was be dropped around Fedora Core 3
http://www.linuxforums.org/forum/re...-install-selinux-policy-targeted-sources.html

 

[Amin Taheri]

For you yes - for people using RHEL4 its still relevant. If you happen to find the new packages please post in case it would help others

 

[brand5]

Proposed solution is wrong and is almost equivalent ti disable selinux.

Correct solution is:

chcon -R -t httpd_cache_t /var/cache/modsecurity

To make it persistent:

semanage fcontext -a -t httpd_cache_t "/var/cache/modsecurity(/.*)"