Hello Dominick,
I don't know if you remember all the painful details of the thread where you helped me solve my mlogc problems but, after running for a couple of weeks in enforcing mode I occasionally get these AVCs when my ModSecurity rule triggers a block which is reported in mlogc:
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1271810736.442:85299): avc: denied { read } for pid=30941 comm="mlogc" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file node=troodos.org.uk type=SYSCALL msg=audit(1271810736.442:85299): arch=40000003 syscall=5 success=no exit=-13 a0=ceeb6e a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=30941 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1271810736.446:85300): avc: denied { read } for pid=30941 comm="mlogc" name="cpuinfo" dev=proc ino=4026531980 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file node=troodos.org.uk type=SYSCALL msg=audit(1271810736.446:85300): arch=40000003 syscall=5 success=no exit=-13 a0=ceeb79 a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=30941 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1272206914.57:99302): avc: denied { read } for pid=2650 comm="mlogc" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file node=troodos.org.uk type=SYSCALL msg=audit(1272206914.57:99302): arch=40000003 syscall=5 success=no exit=-13 a0=24bb6e a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=2650 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1272206914.61:99303): avc: denied { read } for pid=2650 comm="mlogc" name="cpuinfo" dev=proc ino=4026531980 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file node=troodos.org.uk type=SYSCALL msg=audit(1272206914.61:99303): arch=40000003 syscall=5 success=no exit=-13 a0=24bb79 a1=80000 a2=0 a3=2000 items=0 ppid=32219 pid=2650 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null)
Audit2allow suggests:
require { type mlogc_t; type proc_t; class file read; }
#============= mlogc_t ============== allow mlogc_t proc_t:file read;
But when I try to add that to my mlogc.te it chokes during the build process...
I should point out that, as far as I can tell, everything still works despite the AVC denial...
Thanks yet again for your patient help!
Mark