-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2012 11:17 AM, Miroslav Grepl wrote: > On 02/18/2012 02:37 PM, Dominick Grift wrote: >> On Sat, 2012-02-18 at 14:51 +0100, Ole Jon Bjørkum wrote: >>> Hi! >>> >>> >>> I have a problem with SELinux not allowing PHP to list other >>> users' processes with the "ps" command. If I disable SELinux >>> with "setenforce 0" it works immediately. >>> >>> >>> Is it possible to allow PHP to do this without disabling >>> SELinux completely? >> Yes, something like this would probably allow it: >> >> mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) >> gen_require(` type httpd_t; attribute domain; ') >> ps_process_pattern(httpd_t, domain)"> mytest.te; >> >> make -f /usr/share/selinux/devel/Makefile mytest.pp >> >> sudo semodule -i mytest.pp >> >> now httpd_t should be able to ps all domains. >> > Yes, you will need to use a local policy how Dominick wrote. This > is nothing what we do not want to allow it by default. >>> Thanks! >>> >>> >>> Ole Jon -- selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux Just to beat the subject to death. http://danwalsh.livejournal.com/51435.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9CeLkACgkQrlYvE4MpobOwWACfe9HalX5IE5oDJfOD+tVp3Osy wA4AnRe2H1yGTl+NB3D4u5I6obqLk99B =ItYN -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
