/proc {getattr} failures

Russell Coker russell at coker.com.au
Wed May 25 05:32:34 UTC 2005

On Wednesday 25 May 2005 03:06, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 24 May 2005 10:47:12 EDT, Stephen Smalley said:
> > On Sun, 2005-05-22 at 21:53 -0400, Valdis.Kletnieks at vt.edu wrote:
> > > Am I the only one here who thinks that this is really something that
> > > can't be supported in the context of the 'targeted' policy, and would
> > > be much easier to do in 'strict'?
> >
> > It shouldn't be done at all, other than to dontaudit these attempts.  No
> > legitimate reason for a CGI script to be probing init's /proc/pid files.
> I've always been leery of using dontaudit to shut things up - it means that
> there's a possibility that we miss the early warning signs of an actual
> attack.

If you want to complain about dontaudit then look for file_type - 
secure_file_type as the thing you want to complain about.

> I wonder if the cgi script is just doing something like 'ps ax|grep
> mydaemon' to see if a daemon is running...

If the cgi script does "ps ax" as a regular operation then there's no way to 
determine the difference between that and "ps ax" for a hostile operation.

Some people don't have cgi scripts running ps.  We could have a boolean about 
this, but if so then the number of booleans would explode and become 

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list