[CentOS] silencing Passenger "ps" SELinux errors
Daniel J Walsh
dwalsh at redhat.com
Wed Mar 27 14:59:22 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/27/2013 10:01 AM, Paul Norton wrote:
> On 27 March 2013 13:09, ignasr at vault13.lt <ignasr at vault13.lt> wrote:
>
>> Hello,
>>
>> how do people cope with constant SELinux errors like this from Fusion
>> Passenger:
>>
>> 36886. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file
>> open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887.
>> 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr
>> unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05
>> ps unconfined_u:system_r:passenger_t:s0 2 dir search
>> unconfined_u:system_r:initrc_t:s0 denied 1928
>>
>> It happens when Passenger v3 tries to determine memory stats with "ps".
>> There is an Apache directive to turn it of (
>>
>> http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMemoryLimit
>>
>>
), unfortunately it does not work in community version of Passenger.
>>
>> The cause is always ps running as passenger_t trying to read files in
>> /proc with various types of security context.
>>
>> Thank you, IgnasR _______________________________________________ CentOS
>> mailing list CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
> Hello IgnasR I think that you've posted to the wrong list. The app server
> support list is here
> https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan
> Walsh is a great place to start with SELinux
> http://people.redhat.com/dwalsh/ SElinux by example takes a great theory
> and hands on approach
> http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694
>
> All the best Paul
>
domain_read_all_domains_state(passenger_t) # This is what RHEL6.4 has
Or
domain_dontaudit_read_all_domains_state(passenger_t)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFTCUoACgkQrlYvE4MpobPf9wCguV9djSYAK7r26ew1ieVpAzW4
JAoAoI3pzifgBS7Ojdif5SPfkkaBBcUB
=XsXb
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list