Selinux error help - continued

Dan Track dan.track at gmail.com
Thu Feb 8 17:11:45 UTC 2007 

On 2/8/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Thu, 2007-02-08 at 16:31 +0000, Dan Track wrote:
> > On 2/8/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > > On Thu, 2007-02-08 at 16:09 +0000, Dan Track wrote:
> > > > I've tried to capture the process information that is triggiring these
> > > > alerts but so far I'm failing. Basically the web page is just a form
> > > > which you submit as soon as you press the submit button the whole
> > > > process is over in a second.
> > >
> > > Well, you could just wrap the script under strace or autrace or
> > > something similar.
> > >
> > > Question:  What happens if you don't allow the getsession permission but
> > > just fix up the file permissions by running chcon as I suggested?  Does
> > > the getsession denial actually prevent it from working?
> > >
> > > --
> >
> > Hi
> >
> > I just ran the chcon command you gave and now the web page script
> > works fine. So it seems to have fixed the problem. But I'm still
> > intrigued by your investigation, and I'd like to continue it.
> >
> > Since this is a httpd process how would I run strace on any child
> > process that may appear?
>
> You could wrap your current script with a script that invokes it with
> strace -f -ff -o /tmp/webtrace <nameofrealscript>. Or, at a cost of
> tracing the entire apache process and all descendants, you could do:
> # /etc/init.d/httpd stop
> # strace -f -ff -o webtrace /usr/sbin/httpd
>
> Then you should see a webtrace.<pid> file for each process created by
> httpd with the trace information.  In which you can grep for a call to
> getsid and see the pid that was passed to it (and possibly how it was
> obtained in the first place, from the preceding calls).
>

Hi

Ok I just ran your strace and I got two files that contain the getsid
call. Not sure how to read where the pid is so I'll past a portion of
the file incase you can read it better than me.

The other strange thing is that I'm not getting any more selinux
notifications (SYSCALL) since issuing your chcon command. There are no
httpd violations. Should I back out the chcon to get the errors back?

webtrace.25428
lstat64("/opt/www/.beltanerc", {st_mode=S_IFREG|0600, st_size=751, ...}) = 0
open("/opt/www/.beltanerc", O_RDONLY) = 14
fstat64(14, {st_mode=S_IFREG|0600, st_size=751, ...}) = 0
lseek(14, 0, SEEK_CUR)                  = 0
lseek(14, 0, SEEK_SET)                  = 0
fstat64(14, {st_mode=S_IFREG|0600, st_size=751, ...}) = 0
mmap2(NULL, 751, PROT_READ, MAP_SHARED, 14, 0) = 0xb7bc1000
munmap(0xb7bc1000, 751)                           = 0
close(14)                           = 0
time(NULL) = 1170954121
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
access("/var/run/yule.pid", F_OK)       = 0
getcwd("/opt/www/beltane/php", 4096)    = 21
lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/run", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/run/yule.pid", {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
open("/var/run/yule.pid", O_RDONLY)     = 14
fstat64(14, {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
lseek(14, 0, SEEK_CUR) = 0
lseek(14, 0, SEEK_SET)                  = 0
fstat64(14, {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
mmap2(NULL, 6, PROT_READ, MAP_SHARED, 14, 0) = 0xb7bc1000
munmap(0xb7bc1000, 6)                   = 0
close(14)                               = 0
getsid(26060)                           = 26059
munmap(0xb7b85000, 86016)               = 0
chdir("/")                              = 0
umask(022)                              = 022
pwrite64(13, "count|i:196;timestamp|i:11709541"..., 122, 0) = 122
close(13) = 0


webtrace.25429
lstat64("/opt/www/.beltanerc", {st_mode=S_IFREG|0600, st_size=751, ...}) = 0
open("/opt/www/.beltanerc", O_RDONLY)   = 14
fstat64(14, {st_mode=S_IFREG|0600, st_size=751, ...}) = 0
lseek(14, 0, SEEK_CUR)                  = 0
lseek(14, 0, SEEK_SET)                  = 0
fstat64(14, {st_mode=S_IFREG|0600, st_size=751, ...}) = 0
mmap2(NULL, 751, PROT_READ, MAP_SHARED, 14, 0) = 0xb7bc1000
munmap(0xb7bc1000, 751)                 = 0
close(14)                               = 0
time(NULL)                              = 1170954151
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1323, ...}) = 0
access("/var/run/yule.pid", F_OK)       = 0
getcwd("/opt/www/beltane/php", 4096)    = 21
lstat64("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/run", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/var/run/yule.pid", {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
open("/var/run/yule.pid", O_RDONLY)     = 14
fstat64(14, {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
lseek(14, 0, SEEK_CUR)                  = 0
lseek(14, 0, SEEK_SET)                  = 0
fstat64(14, {st_mode=S_IFREG|0644, st_size=6, ...}) = 0
mmap2(NULL, 6, PROT_READ, MAP_SHARED, 14, 0) = 0xb7bc1000
munmap(0xb7bc1000, 6)                   = 0
close(14)                               = 0
getsid(26060)                           = 26059
munmap(0xb7b85000, 86016)               = 0
chdir("/")                              = 0
umask(022)                              = 022
pwrite64(13, "count|i:202;timestamp|i:11709541"..., 122, 0) = 122
close(13)                               = 0


Many Thanks
Dan

More information about the fedora-selinux-list mailing list