Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   SELinux is preventing /bin/ps from search access... (http://www.linux-archive.org/fedora-selinux-support/703605-selinux-preventing-bin-ps-search-access.html)

09-13-2012 07:24 PM

SELinux is preventing /bin/ps from search access...
 
CentOS 6.3. *Just* updated, including most current selinux-policy and
selinux-policy-targeted. I'm getting tons of these, as in it's just
spitting them out when I tail -f /var/log/messages:
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory @2. For complete SELinux messages. run
sealert -l d92ec78b-3897-4760-93c5-343a662fec67
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from getattr access on the directory /proc/<pid>. For complete SELinux
messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52
Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 4417. For complete SELinux messages.
run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91

You can see how many of them there are from the timestamps.

Googling, I've seen other folks complain months ago, but no answers.
Anyone have a clue?

If selinux wasn't in permissive mode, something(s) would be dead.

mark


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 09-13-2012 08:41 PM

SELinux is preventing /bin/ps from search access...
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2012 03:24 PM, m.roth@5-cent.us wrote:
> CentOS 6.3. *Just* updated, including most current selinux-policy and
> selinux-policy-targeted. I'm getting tons of these, as in it's just
> spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51
> <server> setroubleshoot: SELinux is preventing /bin/ps from search access
> on the directory @2. For complete SELinux messages. run sealert -l
> d92ec78b-3897-4760-93c5-343a662fec67 Sep 13 15:20:51 <server>
> setroubleshoot: SELinux is preventing /bin/ps from getattr access on the
> directory /proc/<pid>. For complete SELinux messages. run sealert -l
> a9c9bf7d-d646-4c29-9fe6-ac61b6806f52 Sep 13 15:20:52 <server>
> setroubleshoot: SELinux is preventing /bin/ps from search access on the
> directory 4417. For complete SELinux messages. run sealert -l
> b321ab2d-0277-45c9-bc86-545f9ff6ff91
>
> You can see how many of them there are from the timestamps.
>
> Googling, I've seen other folks complain months ago, but no answers. Anyone
> have a clue?
>
> If selinux wasn't in permissive mode, something(s) would be dead.
>
> mark
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
What are the AVC's you are seeing. What domain is running ps command.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBSROsACgkQrlYvE4MpobPgJwCgj9YvESbbsG bVg0MoA5TTCTXD
XrYAoMX6uDgLvBakzD5joGz02ntR678E
=SXoS
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

09-13-2012 09:09 PM

SELinux is preventing /bin/ps from search access...
 
Daniel J Walsh wrote:
> On 09/13/2012 04:44 PM, m.roth@5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 09/13/2012 03:24 PM, m.roth@5-cent.us wrote:
>>>> CentOS 6.3. *Just* updated, including most current selinux-policy and
>>>> selinux-policy-targeted. I'm getting tons of these, as in it's just
>>>> spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51
>>>> <server> setroubleshoot: SELinux is preventing /bin/ps from search
>>>> access on the directory @2. For complete SELinux messages. run sealert
>>>> -l d92ec78b-3897-4760-93c5-343a662fec67
>> <snip>
>>> What are the AVC's you are seeing. What domain is running ps command.
>>
>> I've turned down auditd to *try* to cut down some of the garbage in the
>> logs, but I still see things like: Sep 13 16:04:02 <server> kernel:
>> type=1400 audit(1347566642.053:96703): avc: denied { search } for
>> pid=9835 comm="ps" name="3647" dev=proc ino=20207
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir
>>
> You running passenger?

Let me guess: I just googled passenger and selinux, and I see a number of
hits to
grep httpd /var/log/audit/audit.log | audit2allow -M passenger
then
semodule -i passenger.pp

Looking in the .te, there's a *lot* of allows....

mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

"Jason L Tibbitts III" 09-14-2012 01:48 AM

SELinux is preventing /bin/ps from search access...
 
>>>>> "DJW" == Daniel J Walsh <dwalsh@redhat.com> writes:

DJW> What are the AVC's you are seeing. What domain is running ps
DJW> command.

I have one system with a cgi-type thing that calls ps and you basically
have to allow, well, nearly everything. Since the files in /proc get
labeled with the domain of the process, and ps needs to trawl through
all of those, whatever runs ps needs to get all sorts of directory and
file read access to any domain that might be running on the system.

- J<
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 07:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.