FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-13-2012, 08:06 PM
 
Default SELinux is preventing /bin/ps from search access

CentOS 6.3. *Just* updated, including most current selinux-policy and
selinux-policy-targeted. I'm getting tons of these, as in it's just
spitting them out when I tail -f /var/log/messages:
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory @2. For complete SELinux messages. run
sealert -l d92ec78b-3897-4760-93c5-343a662fec67
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from getattr access on the directory /proc/<pid>. For complete SELinux
messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52
Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 4417. For complete SELinux messages.
run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91

You can see how many of them there are from the timestamps.

Googling, I've seen other folks complain months ago, but no answers.
Anyone have a clue? (And yes, I've posted this to the selinux list, also.
I'm getting deluged in the logs, and would very, very much like to solve
this today.)

If selinux wasn't in permissive mode, something(s) would be dead.

mark


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-14-2012, 05:31 PM
"James B. Byrne"
 
Default SELinux is preventing /bin/ps from search access

On Thu, September 13, 2012 16:06, m.roth@5-cent.us wrote:
> CentOS 6.3. *Just* updated, including most current selinux-policy and
> selinux-policy-targeted. I'm getting tons of these, as in it's just
> spitting them out when I tail -f /var/log/messages:
> Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
> from search access on the directory @2. For complete SELinux messages.
> run
> sealert -l d92ec78b-3897-4760-93c5-343a662fec67
> Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
> from getattr access on the directory /proc/<pid>. For complete SELinux
> messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52
> Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps
> from search access on the directory 4417. For complete SELinux
> messages.
> run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91
>
> You can see how many of them there are from the timestamps.
>
> Googling, I've seen other folks complain months ago, but no answers.
> Anyone have a clue? (And yes, I've posted this to the selinux list,
> also.
> I'm getting deluged in the logs, and would very, very much like to
> solve
> this today.)
>
> If selinux wasn't in permissive mode, something(s) would be dead.
>
> mark
>

Are you running httpd with mod_rails (rails passenger) per chance?


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-14-2012, 06:24 PM
 
Default SELinux is preventing /bin/ps from search access

James B. Byrne wrote:
>
> On Thu, September 13, 2012 16:06, m.roth@5-cent.us wrote:
>> CentOS 6.3. *Just* updated, including most current selinux-policy and
>> selinux-policy-targeted. I'm getting tons of these, as in it's just
>> spitting them out when I tail -f /var/log/messages:
>> Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
>> from search access on the directory @2. For complete SELinux messages.
>> run
>> sealert -l d92ec78b-3897-4760-93c5-343a662fec67
<snip>
> Are you running httpd with mod_rails (rails passenger) per chance?

Dan Walsh asked me *exactly* the same question. Yep, they've got ruby
apps. As soon as he said that, I googled, and found I needed to set two
booleans, and create a policy - that's a *ton* of allows - for passenger.
Installed it. It finally shut up....

Thanks!

mark, underwhelmed w/ the need for ruby....

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-15-2012, 10:04 AM
Daniel J Walsh
 
Default SELinux is preventing /bin/ps from search access

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/14/2012 02:24 PM, m.roth@5-cent.us wrote:
> James B. Byrne wrote:
>>
>> On Thu, September 13, 2012 16:06, m.roth@5-cent.us wrote:
>>> CentOS 6.3. *Just* updated, including most current selinux-policy and
>>> selinux-policy-targeted. I'm getting tons of these, as in it's just
>>> spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51
>>> <server> setroubleshoot: SELinux is preventing /bin/ps from search
>>> access on the directory @2. For complete SELinux messages. run sealert
>>> -l d92ec78b-3897-4760-93c5-343a662fec67
> <snip>
>> Are you running httpd with mod_rails (rails passenger) per chance?
>
> Dan Walsh asked me *exactly* the same question. Yep, they've got ruby apps.
> As soon as he said that, I googled, and found I needed to set two booleans,
> and create a policy - that's a *ton* of allows - for passenger. Installed
> it. It finally shut up....
>
> Thanks!
>
> mark, underwhelmed w/ the need for ruby....
>
> _______________________________________________ CentOS mailing list
> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
>


Only one rule required.

You can either add

domain_read_all_domains_state(httpd_t)
or
domain_dontaudit_read_all_domains_state(httpd_t)

We are putting fixes in for this in Fedora and soon into RHEL, for the
upcoming openshift policy which also uses passenger.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBUUqEACgkQrlYvE4MpobMh2ACfdS6MAaXaIH Xr61gpEMnQCKYo
MocAoKNVcLrZ+8Ial2fDgm1F5K6QAd/p
=pqMX
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org