Hello,
how do people cope with constant SELinux errors like this from Fusion Passenger:
36886. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 dir search unconfined_u:system_r:initrc_t:s0 denied 1928
It happens when Passenger v3 tries to determine memory stats with "ps". There is an Apache directive to turn it of ( http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerM... ), unfortunately it does not work in community version of Passenger.
The cause is always ps running as passenger_t trying to read files in /proc with various types of security context.
Thank you, IgnasR
On 27 March 2013 13:09, ignasr@vault13.lt ignasr@vault13.lt wrote:
Hello,
how do people cope with constant SELinux errors like this from Fusion Passenger:
- 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2
file open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 dir search unconfined_u:system_r:initrc_t:s0 denied 1928
It happens when Passenger v3 tries to determine memory stats with "ps". There is an Apache directive to turn it of (
http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerM... ), unfortunately it does not work in community version of Passenger.
The cause is always ps running as passenger_t trying to read files in /proc with various types of security context.
Thank you, IgnasR _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello IgnasR I think that you've posted to the wrong list. The app server support list is here https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan Walsh is a great place to start with SELinux http://people.redhat.com/dwalsh/ SElinux by example takes a great theory and hands on approach http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694
All the best Paul
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/27/2013 10:01 AM, Paul Norton wrote:
On 27 March 2013 13:09, ignasr@vault13.lt ignasr@vault13.lt wrote:
Hello,
how do people cope with constant SELinux errors like this from Fusion Passenger:
- 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file
open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 dir search unconfined_u:system_r:initrc_t:s0 denied 1928
It happens when Passenger v3 tries to determine memory stats with "ps". There is an Apache directive to turn it of (
http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerM...
), unfortunately it does not work in community version of Passenger.
The cause is always ps running as passenger_t trying to read files in /proc with various types of security context.
Thank you, IgnasR _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello IgnasR I think that you've posted to the wrong list. The app server support list is here https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan Walsh is a great place to start with SELinux http://people.redhat.com/dwalsh/ SElinux by example takes a great theory and hands on approach http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694
All the best Paul
domain_read_all_domains_state(passenger_t) # This is what RHEL6.4 has
Or
domain_dontaudit_read_all_domains_state(passenger_t)
On 2013.03.27 16:59, Daniel J Walsh wrote:
On 03/27/2013 10:01 AM, Paul Norton wrote:
On 27 March 2013 13:09, ignasr@vault13.lt ignasr@vault13.lt wrote:
Hello,
how do people cope with constant SELinux errors like this from Fusion Passenger:
- 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file
open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 dir search unconfined_u:system_r:initrc_t:s0 denied 1928
It happens when Passenger v3 tries to determine memory stats with "ps". There is an Apache directive to turn it of (
http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerM...
), unfortunately it does not work in community version of Passenger.
The cause is always ps running as passenger_t trying to read files in /proc with various types of security context.
Thank you, IgnasR _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello IgnasR I think that you've posted to the wrong list. The app server support list is here https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan Walsh is a great place to start with SELinux http://people.redhat.com/dwalsh/ SElinux by example takes a great theory and hands on approach http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694
All the best Paul
domain_read_all_domains_state(passenger_t) # This is what RHEL6.4 has
Or
domain_dontaudit_read_all_domains_state(passenger_t)
Thank you very much, solved.
*** [root@c01 ps]# cat i-passenger-ps-sepolicy.te
policy_module(i-passenger-ps,1.0.0) gen_require(` type passenger_t; ') domain_read_all_domains_state(passenger_t) ***
Source: http://danwalsh.livejournal.com/51435.html
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Daniel J Walsh -
ignasr@vault13.lt -
Paul Norton