On Sun, Dec 26, 2010 at 01:00:56PM -0700, Frank Licea wrote:
> I'm on a fresh install of Fedora 14 and using phusion passenger. I currently
> have SELinux in permissive mode.
I am not passenger expert but looks from the denials that httpd_t (probably passenger or a passenger app?) is trying to read the state files in /proc for some unconfined_t process ( which in this instance was probably pid 3279.
Theres a few question that i have.
1. why is passenger running in the httpd_t domain? (i though fedora implemented a passenger domain for passenger to run in)
2. is passenger running some webapp that for some reason needs to read the state file in /proc of some process that runs in the unconfined_t domain
3. does this issue cause any loss of functionality in enforcing mode
4. are you sure passenger and/or the passenger webapp is configured correctly.
again, i am not ruby user. but i am guessing its some interpreter thingy? if thats the case then i guess it could be the code its interpeting that causes this?
maybe that codes somehow depends on a user application or somehow interacts with an user application?
>
> When I checked my /var/log/audit/audit.log file I noticed three denial
> messages and I can't figure out why they are there. Has anyone encountered
> anything similar before?
>
> ==========================
> type=AVC msg=audit(1293393237.358:102): avc: denied { search } for
> pid=3451 comm="ps" name="3279" dev=proc ino=9320
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
>
> type=AVC msg=audit(1293393237.358:102): avc: denied { read } for pid=3451
> comm="ps" name="stat" dev=proc ino=9816
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
>
> type=AVC msg=audit(1293393237.358:102): avc: denied { open } for pid=3451
> comm="ps" name="stat" dev=proc ino=9816
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
> ==========================
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgp6snkkyIQC0.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
