Denied for com='ps' name='stat' {open} {read} {search}

Frank Licea francisco.licea at gmail.com
Tue Dec 28 20:06:16 UTC 2010 

I just realised that the server is using a Ruby Enterprise edition
installation. Which means that
the ruby installation was downloaded as a .tar file and installed using an
install script to the path /opt/ruby-enterprise-1.8.7-2010.02/

Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0

This includes $RUBY_HOME/bin/passenger. That explains why httpd is not
running in the passenger domain.

Should I attempt to relabel these files myself?

This still doesn't explain the /proc access.

I've attempted to do look up the name of the process ID in the AVC denial
messages but that process doesn't seem to show up using a `ps -ef` or
looking for in in htop. It must be exiting quickly.


On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift <domg472 at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/28/2010 08:34 PM, Frank Licea wrote:
> > Daniel:
> >
> > I'm using Fedora 14.
> >
> > To answer Dominik's questions:
> >
> > 1) Why is passenger running in the httpd domain?
> >    I don't know. I've only followed the passenger installation
> instructions
> > at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since
> > Fedora 14 is supposed to have passenger policies installed? Should httpd
> be
> > in a special passenger domain?
>
> I think fedora 14 has a special passenger policy installed but it looks
> like its not working on your system (note looks) since it seems to still
> run in the httpd_t domain.
>
> > 2) is passenger running some webapp that for some reason needs to read
> the
> > state file in /proc  of some process that runs in the unconfined_t
> domain?
> >   No I don't think so. At least I haven't written any code where I use
> > anything in /proc.
> >   I suppose it is possible that a GEM library may be trying to.
>
> Why would it? can you reproduce this issue. Does it only happen if you
> restart httpd manually? I guess it does..
>
> > 3) does this issue cause any loss of functionality in enforcing mode
> >     I haven't checked yet. I will let you know soon.
> >
>
> See if it works when ignoring this.
>
> > 4. are you sure passenger and/or the passenger webapp is configured
> > correctly?
> >     I have as far as following the instructions in the blog post above. I
> > wonder if there
> >     is any relabelling I have to do?
>
> I think this issue happens when the httpd server gets restarted manually
> (service httpd restart/stop/start etc) not sure though.
>
> can you ls -alZ /path/to/passenger executable file?
>
> It should be labelled type: passenger_exec_t
>
> httpd should domain transition to the passenger_t domain when it runs
> the passenger executable file (files with type passenger_exec_t)
>
> seem that doesnt happen but even if it did, passenger still wouldnt be
> able to read unconfined_t state files in /proc ( not sure why it would
> need to either)
>
>
> >
> > 2010/12/28 Daniel J Walsh <dwalsh at redhat.com>
> >
> > On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
> >>>> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
> >>>>>  is trying to read the state files in /proc for some unconfined_t
> > process
> >>>>
> >>>> Never thought of /proc.  That explains why I found it weird to see a
> file
> >>>> labeled as unconfined_t.
> >>>>
> >>>> Frank: disregard my previous suggetion >:)
> >>>>
> >>>> --
> >>>> Jorge
> >>>> --
> >>>> selinux mailing list
> >>>> selinux at lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > What OS/Version are you seeing this in?
> - --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>
>
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0aPkgACgkQMlxVo39jgT+v5gCgwwmqWVMwQ445sbLYqplAZKJP
> HzgAmwVLqTActXtAO1QAL3OcPMYEmryl
> =Dwxq
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20101228/818d815e/attachment.html

More information about the selinux mailing list