Re: Denied for com='ps' name='stat' {open} {read} {search}

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/28/2010 08:34 PM, Frank Licea wrote:
> Daniel:
> 
> I'm using Fedora 14.
> 
> To answer Dominik's questions:
> 
> 1) Why is passenger running in the httpd domain?
>    I don't know. I've only followed the passenger installation instructions
> at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since
> Fedora 14 is supposed to have passenger policies installed? Should httpd be
> in a special passenger domain?

I think fedora 14 has a special passenger policy installed but it looks
like its not working on your system (note looks) since it seems to still
run in the httpd_t domain.

> 2) is passenger running some webapp that for some reason needs to read the
> state file in /proc  of some process that runs in the unconfined_t domain?
>   No I don't think so. At least I haven't written any code where I use
> anything in /proc.
>   I suppose it is possible that a GEM library may be trying to.

Why would it? can you reproduce this issue. Does it only happen if you
restart httpd manually? I guess it does..

> 3) does this issue cause any loss of functionality in enforcing mode
>     I haven't checked yet. I will let you know soon.
> 

See if it works when ignoring this.

> 4. are you sure passenger and/or the passenger webapp is configured
> correctly?
>     I have as far as following the instructions in the blog post above. I
> wonder if there
>     is any relabelling I have to do?

I think this issue happens when the httpd server gets restarted manually
(service httpd restart/stop/start etc) not sure though.

can you ls -alZ /path/to/passenger executable file?

It should be labelled type: passenger_exec_t

httpd should domain transition to the passenger_t domain when it runs
the passenger executable file (files with type passenger_exec_t)

seem that doesnt happen but even if it did, passenger still wouldnt be
able to read unconfined_t state files in /proc ( not sure why it would
need to either)


> 
> 2010/12/28 Daniel J Walsh <dwalsh@xxxxxxxxxx>
> 
> On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
>>>> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
>>>>>  is trying to read the state files in /proc for some unconfined_t
> process
>>>>
>>>> Never thought of /proc.  That explains why I found it weird to see a file
>>>> labeled as unconfined_t.
>>>>
>>>> Frank: disregard my previous suggetion >:)
>>>>
>>>> --
>>>> Jorge
>>>> --
>>>> selinux mailing list
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> What OS/Version are you seeing this in?
- --
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>

> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0aPkgACgkQMlxVo39jgT+v5gCgwwmqWVMwQ445sbLYqplAZKJP
HzgAmwVLqTActXtAO1QAL3OcPMYEmryl
=Dwxq
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux