Denied for com='ps' name='stat' {open} {read} {search}

Frank Licea francisco.licea at gmail.com
Tue Dec 28 19:34:56 UTC 2010 

Daniel:

I'm using Fedora 14.

To answer Dominik's questions:

1) Why is passenger running in the httpd domain?
   I don't know. I've only followed the passenger installation instructions
at http://mifo.sk/posts/passenger-selinux-for-fedora/ minus step 5 since
Fedora 14 is supposed to have passenger policies installed? Should httpd be
in a special passenger domain?

2) is passenger running some webapp that for some reason needs to read the
state file in /proc  of some process that runs in the unconfined_t domain?
  No I don't think so. At least I haven't written any code where I use
anything in /proc.
  I suppose it is possible that a GEM library may be trying to.

3) does this issue cause any loss of functionality in enforcing mode
    I haven't checked yet. I will let you know soon.

4. are you sure passenger and/or the passenger webapp is configured
correctly?
    I have as far as following the instructions in the blog post above. I
wonder if there
    is any relabelling I have to do?



2010/12/28 Daniel J Walsh <dwalsh at redhat.com>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/26/2010 05:25 PM, Jorge Fábregas wrote:
> > On Sunday, December 26, 2010 05:25:22 pm Dominick Grift wrote:
> >>  is trying to read the state files in /proc for some unconfined_t
> process
> >
> > Never thought of /proc.  That explains why I found it weird to see a file
> > labeled as unconfined_t.
> >
> > Frank: disregard my previous suggetion >:)
> >
> > --
> > Jorge
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> What OS/Version are you seeing this in?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0ZzdQACgkQrlYvE4MpobMKjgCghMqiQe3BOjMVkqNZGx80/r5r
> IK4AoKkfMNux+kp/0TraQ2wWLMck7Ph4
> =Rq12
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20101228/dbca3e6f/attachment.html

More information about the selinux mailing list