/proc {getattr} failures

Russell Coker russell at coker.com.au
Tue May 24 03:41:40 UTC 2005

On Monday 23 May 2005 11:42, "James Z. Li" <james.zheng.li at gmail.com> wrote:
> targeted policy on FC3
> /var/log/messages show lots of avcs:
> May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc:  denied
> { getattr } for  pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
> scontext=user_u:system_r:httpd_sys_script_t
> tcontext=user_u:system_r:unconfined_t tclass=dir
> ...
> May 22 20:54:42 bengal kernel: audit(1116809682.171:0): avc:  denied
> { getattr } for  pid=2733 exe=/bin/ps path=/proc/2660 dev=proc
> ino=174325762 scontext=user_u:system_r:httpd_sys_script_t
> tcontext=root:system_r:unconfined_t tclass=dir
> 'audit2allow' generates this rule in local.te
> allow httpd_sys_script_t unconfined_t:dir { getattr };

CGI-BIN scripts have no need to know anything about init or to see it in ps 

The output of audit2allow does not need to be put directly into the policy, 
you can also change the "allow" key word to "dontaudit" if it seems 
appropriate.  In this situation the program in question does not need such 
access, should not be given such access, and a "dontaudit" rule will remove 
the annoying log entries.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list