Selinux error help - continued

Stephen Smalley sds at
Thu Feb 8 16:36:36 UTC 2007

On Thu, 2007-02-08 at 16:31 +0000, Dan Track wrote:
> On 2/8/07, Stephen Smalley <sds at> wrote:
> > On Thu, 2007-02-08 at 16:09 +0000, Dan Track wrote:
> > > I've tried to capture the process information that is triggiring these
> > > alerts but so far I'm failing. Basically the web page is just a form
> > > which you submit as soon as you press the submit button the whole
> > > process is over in a second.
> >
> > Well, you could just wrap the script under strace or autrace or
> > something similar.
> >
> > Question:  What happens if you don't allow the getsession permission but
> > just fix up the file permissions by running chcon as I suggested?  Does
> > the getsession denial actually prevent it from working?
> >
> > --
> Hi
> I just ran the chcon command you gave and now the web page script
> works fine. So it seems to have fixed the problem. But I'm still
> intrigued by your investigation, and I'd like to continue it.
> Since this is a httpd process how would I run strace on any child
> process that may appear?

You could wrap your current script with a script that invokes it with
strace -f -ff -o /tmp/webtrace <nameofrealscript>. Or, at a cost of
tracing the entire apache process and all descendants, you could do:
# /etc/init.d/httpd stop
# strace -f -ff -o webtrace /usr/sbin/httpd

Then you should see a webtrace.<pid> file for each process created by
httpd with the trace information.  In which you can grep for a call to
getsid and see the pid that was passed to it (and possibly how it was
obtained in the first place, from the preceding calls).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list