Denied for com='ps' name='stat' {open} {read} {search}

Dominick Grift domg472 at gmail.com
Tue Dec 28 20:32:24 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/28/2010 09:15 PM, Dominick Grift wrote:
> On 12/28/2010 09:06 PM, Frank Licea wrote:
>> I just realised that the server is using a Ruby Enterprise edition
>> installation. Which means that
>> the ruby installation was downloaded as a .tar file and installed using an
>> install script to the path /opt/ruby-enterprise-1.8.7-2010.02/
> 
>> Thus everything in my $RUBY_HOME/bin is labelled system_u:object_r:bin_t:s0
> 
> you could try labelling "ApplicationPoolServerExecutable"
> passenger_exec_t but to be honest i do not think this will be enough ( i
> dont think the policy supports the enterprise edition) This may also
> explain the /proc issue. Who know what other "features" the enterprise
> edition supports.
> 
> So i guess you find yourself in a bit of a sticky situation here.
> You could write policy for your enterprise edition yourself. After all
> Selinux is a framework that allows you to do so, but you will have to
> know a bit about the matter to be able to implement it, just like one
> needs to know a bit about netfilter and iptables to open or forward some
> network port.
> 
> I want to help you implement a policy but it isnt easy for me either as
> i havent much experience with ruby on rails and its files.
> 
> Can you enclose a list with all the file locations included with you
> passenger enterprise package?

so i am just asking for a list of file locations and *not* for the package.

<rant>
ive written policy for the default passenger over and over again, now
that thats finally supported in Fedora 14, the enterprise version comes
along. I think these guy's at passenger should (have) collaborate with
the selinux community to make sure their "shed" works with enterprise
linux....
</rant>

>> This includes $RUBY_HOME/bin/passenger. That explains why httpd is not
>> running in the passenger domain.
> 
>> Should I attempt to relabel these files myself?
> 
>> This still doesn't explain the /proc access.
> 
>> I've attempted to do look up the name of the process ID in the AVC denial
>> messages but that process doesn't seem to show up using a `ps -ef` or
>> looking for in in htop. It must be exiting quickly.
> 
> 
>> On Tue, Dec 28, 2010 at 12:45 PM, Dominick Grift <domg472 at gmail.com> wrote:
> 
>> On 12/28/2010 08:34 PM, Frank Licea wrote:
>>>>> Daniel:
>>>>>
>>>>> I'm using Fedora 14.
>>>>>
>>>>> To answer Dominik's questions:
>>>>>
>>>>> 1) Why is passenger running in the httpd domain?
>>>>>    I don't know. I've only followed the passenger installation
>> instructions
>>>>> at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since
>>>>> Fedora 14 is supposed to have passenger policies installed? Should httpd
>> be
>>>>> in a special passenger domain?
> 
>> I think fedora 14 has a special passenger policy installed but it looks
>> like its not working on your system (note looks) since it seems to still
>> run in the httpd_t domain.
> 
>>>>> 2) is passenger running some webapp that for some reason needs to read
>> the
>>>>> state file in /proc  of some process that runs in the unconfined_t
>> domain?
>>>>>   No I don't think so. At least I haven't written any code where I use
>>>>> anything in /proc.
>>>>>   I suppose it is possible that a GEM library may be trying to.
> 
>> Why would it? can you reproduce this issue. Does it only happen if you
>> restart httpd manually? I guess it does..
> 
>>>>> 3) does this issue cause any loss of functionality in enforcing mode
>>>>>     I haven't checked yet. I will let you know soon.
>>>>>
> 
>> See if it works when ignoring this.
> 
>>>>> 4. are you sure passenger and/or the passenger webapp is configured
>>>>> correctly?
>>>>>     I have as far as following the instructions in the blog post above. I
>>>>> wonder if there
>>>>>     is any relabelling I have to do?
> 
>> I think this issue happens when the httpd server gets restarted manually
>> (service httpd restart/stop/start etc) not sure though.
> 
>> can you ls -alZ /path/to/passenger executable file?
> 
>> It should be labelled type: passenger_exec_t
> 
>> httpd should domain transition to the passenger_t domain when it runs
>> the passenger executable file (files with type passenger_exec_t)
> 
>> seem that doesnt happen but even if it did, passenger still wouldnt be
>> able to read unconfined_t state files in /proc ( not sure why it would
>> need to either)
> 
> 
>>>>>
>>>>> 2010/12/28 Daniel J Walsh <dwalsh at redhat.com>
>>>>>
>>>>> On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
>>>>>>>> On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
>>>>>>>>>  is trying to read the state files in /proc for some unconfined_t
>>>>> process
>>>>>>>>
>>>>>>>> Never thought of /proc.  That explains why I found it weird to see a
>> file
>>>>>>>> labeled as unconfined_t.
>>>>>>>>
>>>>>>>> Frank: disregard my previous suggetion >:)
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jorge
>>>>>>>> --
>>>>>>>> selinux mailing list
>>>>>>>> selinux at lists.fedoraproject.org
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>> What OS/Version are you seeing this in?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0aSVgACgkQMlxVo39jgT+RBQCfZOI7/Xgf6cOioIr+036GC1Xg
x8MAn0JB0xdNqNWZy4gvhG/jxFhshLcc
=SZPx
-----END PGP SIGNATURE-----

More information about the selinux mailing list