CentOS 6.3. *Just* updated, including most current selinux-policy and selinux-policy-targeted. I'm getting tons of these, as in it's just spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory @2. For complete SELinux messages. run sealert -l d92ec78b-3897-4760-93c5-343a662fec67 Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52 Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory 4417. For complete SELinux messages. run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91
You can see how many of them there are from the timestamps.
Googling, I've seen other folks complain months ago, but no answers. Anyone have a clue?
If selinux wasn't in permissive mode, something(s) would be dead.
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/13/2012 03:24 PM, m.roth@5-cent.us wrote:
CentOS 6.3. *Just* updated, including most current selinux-policy and selinux-policy-targeted. I'm getting tons of these, as in it's just spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory @2. For complete SELinux messages. run sealert -l d92ec78b-3897-4760-93c5-343a662fec67 Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52 Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory 4417. For complete SELinux messages. run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91
You can see how many of them there are from the timestamps.
Googling, I've seen other folks complain months ago, but no answers. Anyone have a clue?
If selinux wasn't in permissive mode, something(s) would be dead.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
What are the AVC's you are seeing. What domain is running ps command.
"DJW" == Daniel J Walsh dwalsh@redhat.com writes:
DJW> What are the AVC's you are seeing. What domain is running ps DJW> command.
I have one system with a cgi-type thing that calls ps and you basically have to allow, well, nearly everything. Since the files in /proc get labeled with the domain of the process, and ps needs to trawl through all of those, whatever runs ps needs to get all sorts of directory and file read access to any domain that might be running on the system.
- J<
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jason L Tibbitts III -
mark