Allow PHP to list other users' processes
Miroslav Grepl
mgrepl at redhat.com
Mon Feb 20 16:17:22 UTC 2012
On 02/18/2012 02:37 PM, Dominick Grift wrote:
> On Sat, 2012-02-18 at 14:51 +0100, Ole Jon Bjørkum wrote:
>> Hi!
>>
>>
>> I have a problem with SELinux not allowing PHP to list other users'
>> processes with the "ps" command.
>> If I disable SELinux with "setenforce 0" it works immediately.
>>
>>
>> Is it possible to allow PHP to do this without disabling SELinux
>> completely?
> Yes, something like this would probably allow it:
>
> mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0)
> gen_require(` type httpd_t; attribute domain; ')
> ps_process_pattern(httpd_t, domain)"> mytest.te;
>
> make -f /usr/share/selinux/devel/Makefile mytest.pp
>
> sudo semodule -i mytest.pp
>
> now httpd_t should be able to ps all domains.
>
Yes, you will need to use a local policy how Dominick wrote. This is
nothing what we do not want to allow it by default.
>> Thanks!
>>
>>
>> Ole Jon
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list