Re: Big brother and httpd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc:  denied  { read write } for  pid=6955 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc:  denied  { read write } for  pid=6955 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:18 pocono last message repeated 2 times

runbb.sh is now ran as an http script (because you changed its context).

As such, it is not allowed to write to the terminal (because web 
scripts shouldn't be writing to the terminal).

> Jun 27 09:05:18 pocono kernel: audit(1119877518.722:0): avc:  denied  { execute_no_trans } for  pid=7010 comm=nohup path=/home/bb/bbc1.9f-btf/bin/bbrun dev=dm-1 ino=6407895 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file

Here you have a script trying to execute something marked as content,
so it makes sense that it's denied.

> Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc:  denied  { read write } for  pid=7012 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc:  denied  { read write } for  pid=7012 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:21 pocono last message repeated 2 times

More of the same...

> Jun 27 09:05:21 pocono kernel: audit(1119877521.716:0): avc:  denied  { execute_no_trans } for  pid=7064 comm=runbb.sh path=/home/bb/bb1.9f-btf/bin/bbd dev=dm-1 ino=6407874 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file

Same problem here..

> Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/1 dev=proc ino=65538 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
> Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/2 dev=proc ino=131074 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
> Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/3 dev=proc ino=196610 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
> ...

Looks like it's trying to run ps, and gets denials because it's not
allowed to gain information about things running in unconfined_t. That
sounds legit to me - I don't see why it should be allowed .


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux