Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   Another odd SELinux message (http://www.linux-archive.org/centos/671885-another-odd-selinux-message.html)

"James B. Byrne" 05-28-2012 03:13 PM

Another odd SELinux message
 
Does anyone recognize this sort of message or have any idea what might
cause it?

May 28 11:00:06 inet09 setroubleshoot: [avc.ERROR] Plugin Exception
catchall #012Traceback (most recent call last):#012 File
"/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
191, in analyze_avc#012 report = plugin.analyze(avc)#012 File
"/usr/share/setroubleshoot/plugins/catchall.py", line 67, in
analyze#012 summary = self.summary + " on " + avc.tpath +
"."#012UnicodeDecodeError: 'utf8' codec can't decode byte 0x80 in
position 1: invalid start byte

SELinux is preventing /bin/ps from search access on the directory
D�. For complete SELinux messages. run sealert -l
b9c81815-0139-45f7-ae92-4f77dd21a6e7

sealert -l b9c81815-0139-45f7-ae92-4f77dd21a6e7
Entity: line 70: parser error : Input is not proper UTF-8, indicate
encoding !
Bytes: 0x80 0x3C 0x2F 0x74
<tpath>D�</tpath>
^
failed to connect to server: xmlParseDoc() failed

I am also seeing a lot of these sorts of messages on the same server:

May 28 10:49:26 inet09 setroubleshoot: SELinux is preventing /bin/ps
from getattr access on the directory /proc/<pid>. For complete SELinux
messages. run sealert -l 14393839-4be4-448f-9c29-34b7a5d53b9d
May 28 10:49:26 inet09 setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 1169. For complete SELinux
messages. run sealert -l b2e0a936-a6fe-4551-b463-28b587d4daed

sealert -l b2e0a936-a6fe-4551-b463-28b587d4daed
SELinux is preventing /bin/ps from search access on the directory 1169.

***** Plugin catchall (100. confidence) suggests
***************************

If you believe that ps should be allowed search access on the 1169
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ps /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

This particular server is running several Ruby-on-Rails (RoR)
applications using Passenger (aka mod-rails). Passenger has a 'lot'
of SELinux issues so this host is more or less a quarantine site for
Rails apps. I am suspicious that Passenger is the cause because I see
these reports as well:

type=AVC msg=audit(1338217386.027:1839): avc: denied { read } for
pid=4612 comm="ps" name="stat" dev=proc ino=11982
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:restorecond_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module
to allow this access.

I wonder if Passenger is tracking system processes via ps to manage
its user apps.


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 03:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.