-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/21/2013 04:55 PM, m.roth(a)5-cent.us wrote:
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On 10/21/2013 04:50 PM, m.roth(a)5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 10/21/2013 04:28 PM, Daniel J Walsh wrote:
>>>> On 10/21/2013 04:24 PM, m.roth(a)5-cent.us wrote:
>>>>> The sealert tells me that a file named index.cgi is running avc
>>>>> on sysfs_t. Is there any tool that would get me the *full* path
>>>>> of index.cgi, as there are several of them, for several websites
>>>>> (including bugzilla)?
>>>>
>>>>> CentOS 6.4.
>>>>
>>>> You can turn on full auditing which should generate the path.
>> <snip>
>>>> Or you can turn it on temporarily (Until next reboot)
>>>>
>>>> auditctl -w /etc/shadow
>>>
>>> Here is a blog I wrote on this a few years back.
>>>
>>>
http://danwalsh.livejournal.com/34903.html?thread=220247
>>
>> No joy, anywhere. I found some AVC's and looked at the inode...
>> /dev/char/203.11. And the sealert tells me only (for example) SELinux
>> is preventing /usr/bin/perl from read access on the file
>> /sys/devices/system/node/node0/meminfo.
>>
>> Obviously, index.cgi is in perl....
>>
> Well it would only happen after the next AVC.
Of course. I did the auditctl -w route, and a couple minutes later got new
avc's, with the same result.
mark
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlJllPQACgkQrlYvE4MpobNDBQCfVJvuMQY5/D1ofWkrAG3oaQ+9
x3sAoLT9KZwKMAWgmMFfzjr+UkLitJoD
=i39V
-----END PGP SIGNATURE-----