On Thu, September 13, 2012 16:06, m.roth@5-cent.us wrote:
CentOS 6.3. *Just* updated, including most current selinux-policy and selinux-policy-targeted. I'm getting tons of these, as in it's just spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory @2. For complete SELinux messages. run sealert -l d92ec78b-3897-4760-93c5-343a662fec67 Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l a9c9bf7d-d646-4c29-9fe6-ac61b6806f52 Sep 13 15:20:52 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory 4417. For complete SELinux messages. run sealert -l b321ab2d-0277-45c9-bc86-545f9ff6ff91
You can see how many of them there are from the timestamps.
Googling, I've seen other folks complain months ago, but no answers. Anyone have a clue? (And yes, I've posted this to the selinux list, also. I'm getting deluged in the logs, and would very, very much like to solve this today.)
If selinux wasn't in permissive mode, something(s) would be dead.
mark
Are you running httpd with mod_rails (rails passenger) per chance?
James B. Byrne wrote:
On Thu, September 13, 2012 16:06, m.roth@5-cent.us wrote:
CentOS 6.3. *Just* updated, including most current selinux-policy and selinux-policy-targeted. I'm getting tons of these, as in it's just spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory @2. For complete SELinux messages. run sealert -l d92ec78b-3897-4760-93c5-343a662fec67
<snip>
Are you running httpd with mod_rails (rails passenger) per chance?
Dan Walsh asked me *exactly* the same question. Yep, they've got ruby apps. As soon as he said that, I googled, and found I needed to set two booleans, and create a policy - that's a *ton* of allows - for passenger. Installed it. It finally shut up....
Thanks!
mark, underwhelmed w/ the need for ruby....
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/14/2012 02:24 PM, m.roth@5-cent.us wrote:
James B. Byrne wrote:
On Thu, September 13, 2012 16:06, m.roth@5-cent.us wrote:
CentOS 6.3. *Just* updated, including most current selinux-policy and selinux-policy-targeted. I'm getting tons of these, as in it's just spitting them out when I tail -f /var/log/messages: Sep 13 15:20:51 <server> setroubleshoot: SELinux is preventing /bin/ps from search access on the directory @2. For complete SELinux messages. run sealert -l d92ec78b-3897-4760-93c5-343a662fec67
<snip> > Are you running httpd with mod_rails (rails passenger) per chance?
Dan Walsh asked me *exactly* the same question. Yep, they've got ruby apps. As soon as he said that, I googled, and found I needed to set two booleans, and create a policy - that's a *ton* of allows - for passenger. Installed it. It finally shut up....
Thanks!
mark, underwhelmed w/ the need for ruby....
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Only one rule required.
You can either add
domain_read_all_domains_state(httpd_t) or domain_dontaudit_read_all_domains_state(httpd_t)
We are putting fixes in for this in Fedora and soon into RHEL, for the upcoming openshift policy which also uses passenger.
-
Daniel J Walsh -
James B. Byrne -
m.roth@5-cent.us