/proc {getattr} failures
Russell Coker
russell at coker.com.au
Tue May 24 03:41:40 UTC 2005
On Monday 23 May 2005 11:42, "James Z. Li" <james.zheng.li at gmail.com> wrote:
> targeted policy on FC3
>
> /var/log/messages show lots of avcs:
> May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc: denied
> { getattr } for pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
> scontext=user_u:system_r:httpd_sys_script_t
> tcontext=user_u:system_r:unconfined_t tclass=dir
> ...
> May 22 20:54:42 bengal kernel: audit(1116809682.171:0): avc: denied
> { getattr } for pid=2733 exe=/bin/ps path=/proc/2660 dev=proc
> ino=174325762 scontext=user_u:system_r:httpd_sys_script_t
> tcontext=root:system_r:unconfined_t tclass=dir
>
> 'audit2allow' generates this rule in local.te
> allow httpd_sys_script_t unconfined_t:dir { getattr };
CGI-BIN scripts have no need to know anything about init or to see it in ps
output.
The output of audit2allow does not need to be put directly into the policy,
you can also change the "allow" key word to "dontaudit" if it seems
appropriate. In this situation the program in question does not need such
access, should not be given such access, and a "dontaudit" rule will remove
the annoying log entries.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list