Denied for com='ps' name='stat' {open} {read} {search}

[Dominick Grift]

On Sun, Dec 26, 2010 at 01:00:56PM -0700, Frank Licea wrote:
> I'm on a fresh install of Fedora 14 and using phusion passenger. I currently
> have SELinux in permissive mode.

I am not passenger expert but looks from the denials that httpd_t (probably passenger or a passenger app?) is trying to read the state files in /proc for some unconfined_t process ( which in this instance was probably pid 3279.

Theres a few question that i have.

1. why is passenger running in the httpd_t domain? (i though fedora implemented a passenger domain for passenger to run in)
2. is passenger running some webapp that for some reason needs to read the state file in /proc of some process that runs in the unconfined_t domain
3. does this issue cause any loss of functionality in enforcing mode
4. are you sure passenger and/or the passenger webapp is configured correctly.

again, i am not ruby user. but i am guessing its some interpreter thingy? if thats the case then i guess it could be the code its interpeting that causes this?
maybe that codes somehow depends on a user application or somehow interacts with an user application?





> 
>  When I checked my /var/log/audit/audit.log file I noticed three denial
> messages and I can't figure out why they are there. Has anyone encountered
> anything similar before?
> 
> ==========================
> type=AVC msg=audit(1293393237.358:102): avc:  denied  { search } for
> pid=3451 comm="ps" name="3279" dev=proc ino=9320
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
> 
>     Was caused by:
>         Missing type enforcement (TE) allow rule.
> 
>         You can use audit2allow to generate a loadable module to allow this
> access.
> 
> type=AVC msg=audit(1293393237.358:102): avc:  denied  { read } for  pid=3451
> comm="ps" name="stat" dev=proc ino=9816
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
> 
>     Was caused by:
>         Missing type enforcement (TE) allow rule.
> 
>         You can use audit2allow to generate a loadable module to allow this
> access.
> 
> type=AVC msg=audit(1293393237.358:102): avc:  denied  { open } for  pid=3451
> comm="ps" name="stat" dev=proc ino=9816
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
> 
>     Was caused by:
>         Missing type enforcement (TE) allow rule.
> 
>         You can use audit2allow to generate a loadable module to allow this
> access.
> ==========================

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20101226/f83c88ce/attachment.bin