[CentOS] Another odd SELinux message

Mon May 28 15:13:22 UTC 2012
James B. Byrne <byrnejb at harte-lyne.ca>

Does anyone recognize this sort of message or have any idea what might
cause it?

May 28 11:00:06 inet09 setroubleshoot: [avc.ERROR] Plugin Exception
catchall #012Traceback (most recent call last):#012  File
"/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
191, in analyze_avc#012    report = plugin.analyze(avc)#012  File
"/usr/share/setroubleshoot/plugins/catchall.py", line 67, in
analyze#012    summary = self.summary + " on " + avc.tpath +
"."#012UnicodeDecodeError: 'utf8' codec can't decode byte 0x80 in
position 1: invalid start byte

SELinux is preventing /bin/ps from search access on the directory
D�. For complete SELinux messages. run sealert -l
b9c81815-0139-45f7-ae92-4f77dd21a6e7

sealert -l b9c81815-0139-45f7-ae92-4f77dd21a6e7
Entity: line 70: parser error : Input is not proper UTF-8, indicate
encoding !
Bytes: 0x80 0x3C 0x2F 0x74
          <tpath>D�</tpath>
                  ^
failed to connect to server: xmlParseDoc() failed

I am also seeing a lot of these sorts of messages on the same server:

May 28 10:49:26 inet09 setroubleshoot: SELinux is preventing /bin/ps
from getattr access on the directory /proc/<pid>. For complete SELinux
messages. run sealert -l 14393839-4be4-448f-9c29-34b7a5d53b9d
May 28 10:49:26 inet09 setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 1169. For complete SELinux
messages. run sealert -l b2e0a936-a6fe-4551-b463-28b587d4daed

sealert -l b2e0a936-a6fe-4551-b463-28b587d4daed
SELinux is preventing /bin/ps from search access on the directory 1169.

*****  Plugin catchall (100. confidence) suggests 
***************************

If you believe that ps should be allowed search access on the 1169
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ps /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

This particular server is running several Ruby-on-Rails (RoR)
applications using Passenger (aka mod-rails).  Passenger has a 'lot'
of SELinux issues so this host is more or less a quarantine site for
Rails apps.  I am suspicious that Passenger is the cause because I see
these reports as well:

type=AVC msg=audit(1338217386.027:1839): avc:  denied  { read } for 
pid=4612 comm="ps" name="stat" dev=proc ino=11982
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:restorecond_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module
to allow this access.

I wonder if Passenger is tracking system processes via ps to manage
its user apps.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3