Allow PHP to list other users' processes
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 20 16:45:45 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2012 11:17 AM, Miroslav Grepl wrote:
> On 02/18/2012 02:37 PM, Dominick Grift wrote:
>> On Sat, 2012-02-18 at 14:51 +0100, Ole Jon Bjørkum wrote:
>>> Hi!
>>>
>>>
>>> I have a problem with SELinux not allowing PHP to list other
>>> users' processes with the "ps" command. If I disable SELinux
>>> with "setenforce 0" it works immediately.
>>>
>>>
>>> Is it possible to allow PHP to do this without disabling
>>> SELinux completely?
>> Yes, something like this would probably allow it:
>>
>> mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0)
>> gen_require(` type httpd_t; attribute domain; ')
>> ps_process_pattern(httpd_t, domain)"> mytest.te;
>>
>> make -f /usr/share/selinux/devel/Makefile mytest.pp
>>
>> sudo semodule -i mytest.pp
>>
>> now httpd_t should be able to ps all domains.
>>
> Yes, you will need to use a local policy how Dominick wrote. This
> is nothing what we do not want to allow it by default.
>>> Thanks!
>>>
>>>
>>> Ole Jon -- selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Just to beat the subject to death.
http://danwalsh.livejournal.com/51435.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9CeLkACgkQrlYvE4MpobOwWACfe9HalX5IE5oDJfOD+tVp3Osy
wA4AnRe2H1yGTl+NB3D4u5I6obqLk99B
=ItYN
-----END PGP SIGNATURE-----
More information about the selinux
mailing list