FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-18-2012, 01:37 PM
Dominick Grift
 
Default Allow PHP to list other users' processes

On Sat, 2012-02-18 at 14:51 +0100, Ole Jon Bjørkum wrote:
> Hi!
>
>
> I have a problem with SELinux not allowing PHP to list other users'
> processes with the "ps" command.
> If I disable SELinux with "setenforce 0" it works immediately.
>
>
> Is it possible to allow PHP to do this without disabling SELinux
> completely?

Yes, something like this would probably allow it:

mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0)
gen_require(` type httpd_t; attribute domain; ')
ps_process_pattern(httpd_t, domain)" > mytest.te;

make -f /usr/share/selinux/devel/Makefile mytest.pp

sudo semodule -i mytest.pp

now httpd_t should be able to ps all domains.

>
> Thanks!
>
>
> Ole Jon
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-20-2012, 03:17 PM
Miroslav Grepl
 
Default Allow PHP to list other users' processes

On 02/18/2012 02:37 PM, Dominick Grift wrote:

On Sat, 2012-02-18 at 14:51 +0100, Ole Jon Bjørkum wrote:

Hi!


I have a problem with SELinux not allowing PHP to list other users'
processes with the "ps" command.
If I disable SELinux with "setenforce 0" it works immediately.


Is it possible to allow PHP to do this without disabling SELinux
completely?

Yes, something like this would probably allow it:

mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0)
gen_require(` type httpd_t; attribute domain; ')
ps_process_pattern(httpd_t, domain)"> mytest.te;

make -f /usr/share/selinux/devel/Makefile mytest.pp

sudo semodule -i mytest.pp

now httpd_t should be able to ps all domains.

Yes, you will need to use a local policy how Dominick wrote. This is
nothing what we do not want to allow it by default.

Thanks!


Ole Jon
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-20-2012, 03:45 PM
Daniel J Walsh
 
Default Allow PHP to list other users' processes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2012 11:17 AM, Miroslav Grepl wrote:
> On 02/18/2012 02:37 PM, Dominick Grift wrote:
>> On Sat, 2012-02-18 at 14:51 +0100, Ole Jon Bjørkum wrote:
>>> Hi!
>>>
>>>
>>> I have a problem with SELinux not allowing PHP to list other
>>> users' processes with the "ps" command. If I disable SELinux
>>> with "setenforce 0" it works immediately.
>>>
>>>
>>> Is it possible to allow PHP to do this without disabling
>>> SELinux completely?
>> Yes, something like this would probably allow it:
>>
>> mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0)
>> gen_require(` type httpd_t; attribute domain; ')
>> ps_process_pattern(httpd_t, domain)"> mytest.te;
>>
>> make -f /usr/share/selinux/devel/Makefile mytest.pp
>>
>> sudo semodule -i mytest.pp
>>
>> now httpd_t should be able to ps all domains.
>>
> Yes, you will need to use a local policy how Dominick wrote. This
> is nothing what we do not want to allow it by default.
>>> Thanks!
>>>
>>>
>>> Ole Jon -- selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Just to beat the subject to death.

http://danwalsh.livejournal.com/51435.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9CeLkACgkQrlYvE4MpobOwWACfe9HalX5IE5 oDJfOD+tVp3Osy
wA4AnRe2H1yGTl+NB3D4u5I6obqLk99B
=ItYN
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org