/proc {getattr} failures
Stephen Smalley
sds at tycho.nsa.gov
Tue May 24 14:47:12 UTC 2005
On Sun, 2005-05-22 at 21:53 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Sun, 22 May 2005 21:42:17 EDT, "James Z. Li" said:
> > targeted policy on FC3
> >
> > /var/log/messages show lots of avcs:
> > May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc: denied
> > { getattr } for pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
> > scontext=user_u:system_r:httpd_sys_script_t
> > tcontext=user_u:system_r:unconfined_t tclass=dir
>
> Am I the only one here who thinks that this is really something that can't
> be supported in the context of the 'targeted' policy, and would be much
> easier to do in 'strict'?
It shouldn't be done at all, other than to dontaudit these attempts. No
legitimate reason for a CGI script to be probing init's /proc/pid files.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list