/proc {getattr} failures
Daniel J Walsh
dwalsh at redhat.com
Tue May 24 15:54:35 UTC 2005
James Z. Li wrote:
>targeted policy on FC3
>
>/var/log/messages show lots of avcs:
>May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc: denied
>{ getattr } for pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
>scontext=user_u:system_r:httpd_sys_script_t
>tcontext=user_u:system_r:unconfined_t tclass=dir
>...
>May 22 20:54:42 bengal kernel: audit(1116809682.171:0): avc: denied
>{ getattr } for pid=2733 exe=/bin/ps path=/proc/2660 dev=proc
>ino=174325762 scontext=user_u:system_r:httpd_sys_script_t
>tcontext=root:system_r:unconfined_t tclass=dir
>
>'audit2allow' generates this rule in local.te
>allow httpd_sys_script_t unconfined_t:dir { getattr };
>
>
>
I guess the question is, what is this script attemting to do? If you
dontaudit this access, does it work?
I would advise creating a new script type using
apache_domain(mycgi)
allow httpd_mycgi_script_t unconfined_t:dir ...
Then change to contraint.te to allow httpd_mycgi_script_t.
>'make load' shows the assertion error message
>Assertion on line 17328 violated by allow httpd_sys_script_t
>unconfined_t:dir { getattr };
>make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>
>Then I learned that /proc, /selinux, and /sys do not have persistent
>labels. What should
>I do to solve this problem? Remove that assertion check?
>
>Btw, anyone has a policy file for Gallery (gallery.sourceforge.net) with httpd?
>
>Thanks a lot!
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
More information about the fedora-selinux-list
mailing list