Does anyone recognize this sort of message or have any idea what might cause it?
May 28 11:00:06 inet09 setroubleshoot: [avc.ERROR] Plugin Exception catchall #012Traceback (most recent call last):#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 191, in analyze_avc#012 report = plugin.analyze(avc)#012 File "/usr/share/setroubleshoot/plugins/catchall.py", line 67, in analyze#012 summary = self.summary + " on " + avc.tpath + "."#012UnicodeDecodeError: 'utf8' codec can't decode byte 0x80 in position 1: invalid start byte
SELinux is preventing /bin/ps from search access on the directory D�. For complete SELinux messages. run sealert -l b9c81815-0139-45f7-ae92-4f77dd21a6e7
sealert -l b9c81815-0139-45f7-ae92-4f77dd21a6e7 Entity: line 70: parser error : Input is not proper UTF-8, indicate encoding ! Bytes: 0x80 0x3C 0x2F 0x74 <tpath>D�</tpath> ^ failed to connect to server: xmlParseDoc() failed
I am also seeing a lot of these sorts of messages on the same server:
May 28 10:49:26 inet09 setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 14393839-4be4-448f-9c29-34b7a5d53b9d May 28 10:49:26 inet09 setroubleshoot: SELinux is preventing /bin/ps from search access on the directory 1169. For complete SELinux messages. run sealert -l b2e0a936-a6fe-4551-b463-28b587d4daed
sealert -l b2e0a936-a6fe-4551-b463-28b587d4daed SELinux is preventing /bin/ps from search access on the directory 1169.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that ps should be allowed search access on the 1169 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ps /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
This particular server is running several Ruby-on-Rails (RoR) applications using Passenger (aka mod-rails). Passenger has a 'lot' of SELinux issues so this host is more or less a quarantine site for Rails apps. I am suspicious that Passenger is the cause because I see these reports as well:
type=AVC msg=audit(1338217386.027:1839): avc: denied { read } for pid=4612 comm="ps" name="stat" dev=proc ino=11982 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:restorecond_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
I wonder if Passenger is tracking system processes via ps to manage its user apps.