On 02/18/2012 02:37 PM, Dominick Grift wrote:
On Sat, 2012-02-18 at 14:51 +0100, Ole Jon Bjørkum wrote:
Hi!
I have a problem with SELinux not allowing PHP to list other users'
processes with the "ps" command.
If I disable SELinux with "setenforce 0" it works immediately.
Is it possible to allow PHP to do this without disabling SELinux
completely?
Yes, something like this would probably allow it:
mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0)
gen_require(` type httpd_t; attribute domain; ')
ps_process_pattern(httpd_t, domain)"> mytest.te;
make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp
now httpd_t should be able to ps all domains.
Yes, you will need to use a local policy how Dominick wrote. This is
nothing what we do not want to allow it by default.
Thanks!
Ole Jon
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
