-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/28/2010 08:34 PM, Frank Licea wrote: > Daniel: > > I'm using Fedora 14. > > To answer Dominik's questions: > > 1) Why is passenger running in the httpd domain? > I don't know. I've only followed the passenger installation instructions > at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since > Fedora 14 is supposed to have passenger policies installed? Should httpd be > in a special passenger domain? I think fedora 14 has a special passenger policy installed but it looks like its not working on your system (note looks) since it seems to still run in the httpd_t domain. > 2) is passenger running some webapp that for some reason needs to read the > state file in /proc of some process that runs in the unconfined_t domain? > No I don't think so. At least I haven't written any code where I use > anything in /proc. > I suppose it is possible that a GEM library may be trying to. Why would it? can you reproduce this issue. Does it only happen if you restart httpd manually? I guess it does.. > 3) does this issue cause any loss of functionality in enforcing mode > I haven't checked yet. I will let you know soon. > See if it works when ignoring this. > 4. are you sure passenger and/or the passenger webapp is configured > correctly? > I have as far as following the instructions in the blog post above. I > wonder if there > is any relabelling I have to do? I think this issue happens when the httpd server gets restarted manually (service httpd restart/stop/start etc) not sure though. can you ls -alZ /path/to/passenger executable file? It should be labelled type: passenger_exec_t httpd should domain transition to the passenger_t domain when it runs the passenger executable file (files with type passenger_exec_t) seem that doesnt happen but even if it did, passenger still wouldnt be able to read unconfined_t state files in /proc ( not sure why it would need to either) > > 2010/12/28 Daniel J Walsh <dwalsh@xxxxxxxxxx> > > On 12/26/2010 05:25 PM, Jorge Fábregas wrote: >>>> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote: >>>>> is trying to read the state files in /proc for some unconfined_t > process >>>> >>>> Never thought of /proc. That explains why I found it weird to see a file >>>> labeled as unconfined_t. >>>> >>>> Frank: disregard my previous suggetion >:) >>>> >>>> -- >>>> Jorge >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux > What OS/Version are you seeing this in? - -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux >> > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0aPkgACgkQMlxVo39jgT+v5gCgwwmqWVMwQ445sbLYqplAZKJP HzgAmwVLqTActXtAO1QAL3OcPMYEmryl =Dwxq -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
