Big brother and httpd

Mon Jun 27 13:34:37 UTC 2005

> Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc:  denied  { read write } for  pid=6955 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:18 pocono kernel: audit(1119877518.646:0): avc:  denied  { read write } for  pid=6955 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:18 pocono last message repeated 2 times

runbb.sh is now ran as an http script (because you changed its context).

As such, it is not allowed to write to the terminal (because web 
scripts shouldn't be writing to the terminal).

> Jun 27 09:05:18 pocono kernel: audit(1119877518.722:0): avc:  denied  { execute_no_trans } for  pid=7010 comm=nohup path=/home/bb/bbc1.9f-btf/bin/bbrun dev=dm-1 ino=6407895 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file

Here you have a script trying to execute something marked as content,
so it makes sense that it's denied.

> Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc:  denied  { read write } for  pid=7012 comm=runbb.sh name=13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:21 pocono kernel: audit(1119877521.644:0): avc:  denied  { read write } for  pid=7012 comm=runbb.sh path=/dev/pts/13 dev=devpts ino=15 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:devpts_t tclass=chr_file
> Jun 27 09:05:21 pocono last message repeated 2 times

More of the same...

> Jun 27 09:05:21 pocono kernel: audit(1119877521.716:0): avc:  denied  { execute_no_trans } for  pid=7064 comm=runbb.sh path=/home/bb/bb1.9f-btf/bin/bbd dev=dm-1 ino=6407874 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_sys_content_t tclass=file

Same problem here..

> Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/1 dev=proc ino=65538 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
> Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/2 dev=proc ino=131074 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
> Jun 27 09:05:26 pocono kernel: audit(1119877526.722:0): avc:  denied  { getattr } for  pid=7067 comm=ps path=/proc/3 dev=proc ino=196610 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:unconfined_t tclass=dir
> ...

Looks like it's trying to run ps, and gets denials because it's not
allowed to gain information about things running in unconfined_t. That
sounds legit to me - I don't see why it should be allowed .