[CentOS] SELinux is preventing /bin/ps from search access

Daniel J Walsh dwalsh at redhat.com
Sat Sep 15 06:04:17 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/14/2012 02:24 PM, m.roth at 5-cent.us wrote:
> James B. Byrne wrote:
>> 
>> On Thu, September 13, 2012 16:06, m.roth at 5-cent.us wrote:
>>> CentOS 6.3. *Just* updated, including most current selinux-policy and 
>>> selinux-policy-targeted. I'm getting tons of these, as in it's just 
>>> spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51
>>> <server> setroubleshoot: SELinux is preventing /bin/ps from search
>>> access on the directory @2. For complete SELinux messages. run sealert
>>> -l d92ec78b-3897-4760-93c5-343a662fec67
> <snip>
>> Are you running httpd with mod_rails (rails passenger) per chance?
> 
> Dan Walsh asked me *exactly* the same question. Yep, they've got ruby apps.
> As soon as he said that, I googled, and found I needed to set two booleans,
> and create a policy - that's a *ton* of allows - for passenger. Installed
> it. It finally shut up....
> 
> Thanks!
> 
> mark, underwhelmed w/ the need for ruby....
> 
> _______________________________________________ CentOS mailing list 
> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> 


Only one rule required.

You can either add

domain_read_all_domains_state(httpd_t)
or
domain_dontaudit_read_all_domains_state(httpd_t)

We are putting fixes in for this in Fedora and soon into RHEL, for the
upcoming openshift policy which also uses passenger.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBUUqEACgkQrlYvE4MpobMh2ACfdS6MAaXaIHXr61gpEMnQCKYo
MocAoKNVcLrZ+8Ial2fDgm1F5K6QAd/p
=pqMX
-----END PGP SIGNATURE-----


More information about the CentOS mailing list