/proc {getattr} failures

Daniel J Walsh dwalsh at redhat.com
Tue May 24 15:54:35 UTC 2005

James Z. Li wrote:

>targeted policy on FC3
>/var/log/messages show lots of avcs:
>May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc:  denied 
>{ getattr } for  pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
>tcontext=user_u:system_r:unconfined_t tclass=dir
>May 22 20:54:42 bengal kernel: audit(1116809682.171:0): avc:  denied 
>{ getattr } for  pid=2733 exe=/bin/ps path=/proc/2660 dev=proc
>ino=174325762 scontext=user_u:system_r:httpd_sys_script_t
>tcontext=root:system_r:unconfined_t tclass=dir
>'audit2allow' generates this rule in local.te
>allow httpd_sys_script_t unconfined_t:dir { getattr };
I guess the question is, what is this script attemting to do?  If you 
dontaudit this access, does it work?

I would advise creating a new script type using

allow httpd_mycgi_script_t unconfined_t:dir ...

Then change to contraint.te to allow httpd_mycgi_script_t.

>'make load' shows the assertion error message
>Assertion on line 17328 violated by allow httpd_sys_script_t
>unconfined_t:dir { getattr };
>make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>Then I learned that /proc, /selinux, and /sys do not have persistent
>labels. What should
>I do to solve this problem? Remove that assertion check? 
>Btw, anyone has a policy file for Gallery (gallery.sourceforge.net) with httpd?
>Thanks a lot!
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com


More information about the fedora-selinux-list mailing list