FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-13-2012, 07:24 PM
 
Default SELinux is preventing /bin/ps from search access...

CentOS 6.3. *Just* updated, including most current selinux-policy and
selinux-policy-targeted. I'm getting tons of these, as in it's just
spitting them out when I tail -f /var/log/messages:
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory @2. For complete SELinux messages. run
sealert -l d92ec78b-3897-4760-93c5-343a662fec67
Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps
from getattr access on the directory /proc/<pid>. For complete SELinux
messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52
Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 4417. For complete SELinux messages.
run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91

You can see how many of them there are from the timestamps.

Googling, I've seen other folks complain months ago, but no answers.
Anyone have a clue?

If selinux wasn't in permissive mode, something(s) would be dead.

mark


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-13-2012, 08:41 PM
Daniel J Walsh
 
Default SELinux is preventing /bin/ps from search access...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2012 03:24 PM, m.roth@5-cent.us wrote:
> CentOS 6.3. *Just* updated, including most current selinux-policy and
> selinux-policy-targeted. I'm getting tons of these, as in it's just
> spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51
> <server> setroubleshoot: SELinux is preventing /bin/ps from search access
> on the directory @2. For complete SELinux messages. run sealert -l
> d92ec78b-3897-4760-93c5-343a662fec67 Sep 13 15:20:51 <server>
> setroubleshoot: SELinux is preventing /bin/ps from getattr access on the
> directory /proc/<pid>. For complete SELinux messages. run sealert -l
> a9c9bf7d-d646-4c29-9fe6-ac61b6806f52 Sep 13 15:20:52 <server>
> setroubleshoot: SELinux is preventing /bin/ps from search access on the
> directory 4417. For complete SELinux messages. run sealert -l
> b321ab2d-0277-45c9-bc86-545f9ff6ff91
>
> You can see how many of them there are from the timestamps.
>
> Googling, I've seen other folks complain months ago, but no answers. Anyone
> have a clue?
>
> If selinux wasn't in permissive mode, something(s) would be dead.
>
> mark
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
What are the AVC's you are seeing. What domain is running ps command.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBSROsACgkQrlYvE4MpobPgJwCgj9YvESbbsG bVg0MoA5TTCTXD
XrYAoMX6uDgLvBakzD5joGz02ntR678E
=SXoS
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-13-2012, 09:09 PM
 
Default SELinux is preventing /bin/ps from search access...

Daniel J Walsh wrote:
> On 09/13/2012 04:44 PM, m.roth@5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 09/13/2012 03:24 PM, m.roth@5-cent.us wrote:
>>>> CentOS 6.3. *Just* updated, including most current selinux-policy and
>>>> selinux-policy-targeted. I'm getting tons of these, as in it's just
>>>> spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51
>>>> <server> setroubleshoot: SELinux is preventing /bin/ps from search
>>>> access on the directory @2. For complete SELinux messages. run sealert
>>>> -l d92ec78b-3897-4760-93c5-343a662fec67
>> <snip>
>>> What are the AVC's you are seeing. What domain is running ps command.
>>
>> I've turned down auditd to *try* to cut down some of the garbage in the
>> logs, but I still see things like: Sep 13 16:04:02 <server> kernel:
>> type=1400 audit(1347566642.053:96703): avc: denied { search } for
>> pid=9835 comm="ps" name="3647" dev=proc ino=20207
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=dir
>>
> You running passenger?

Let me guess: I just googled passenger and selinux, and I see a number of
hits to
grep httpd /var/log/audit/audit.log | audit2allow -M passenger
then
semodule -i passenger.pp

Looking in the .te, there's a *lot* of allows....

mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-14-2012, 01:48 AM
"Jason L Tibbitts III"
 
Default SELinux is preventing /bin/ps from search access...

>>>>> "DJW" == Daniel J Walsh <dwalsh@redhat.com> writes:

DJW> What are the AVC's you are seeing. What domain is running ps
DJW> command.

I have one system with a cgi-type thing that calls ps and you basically
have to allow, well, nearly everything. Since the files in /proc get
labeled with the domain of the process, and ps needs to trawl through
all of those, whatever runs ps needs to get all sorts of directory and
file read access to any domain that might be running on the system.

- J<
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org