Selinux error help - continued
Stephen Smalley
sds at tycho.nsa.gov
Thu Feb 8 16:36:36 UTC 2007
On Thu, 2007-02-08 at 16:31 +0000, Dan Track wrote:
> On 2/8/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > On Thu, 2007-02-08 at 16:09 +0000, Dan Track wrote:
> > > I've tried to capture the process information that is triggiring these
> > > alerts but so far I'm failing. Basically the web page is just a form
> > > which you submit as soon as you press the submit button the whole
> > > process is over in a second.
> >
> > Well, you could just wrap the script under strace or autrace or
> > something similar.
> >
> > Question: What happens if you don't allow the getsession permission but
> > just fix up the file permissions by running chcon as I suggested? Does
> > the getsession denial actually prevent it from working?
> >
> > --
>
> Hi
>
> I just ran the chcon command you gave and now the web page script
> works fine. So it seems to have fixed the problem. But I'm still
> intrigued by your investigation, and I'd like to continue it.
>
> Since this is a httpd process how would I run strace on any child
> process that may appear?
You could wrap your current script with a script that invokes it with
strace -f -ff -o /tmp/webtrace <nameofrealscript>. Or, at a cost of
tracing the entire apache process and all descendants, you could do:
# /etc/init.d/httpd stop
# strace -f -ff -o webtrace /usr/sbin/httpd
Then you should see a webtrace.<pid> file for each process created by
httpd with the trace information. In which you can grep for a call to
getsid and see the pid that was passed to it (and possibly how it was
obtained in the first place, from the preceding calls).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list