On 2013.03.27 16:59, Daniel J Walsh wrote: > On 03/27/2013 10:01 AM, Paul Norton wrote: >> On 27 March 2013 13:09, ignasr at vault13.lt <ignasr at vault13.lt> wrote: > >>> Hello, >>> >>> how do people cope with constant SELinux errors like this from Fusion >>> Passenger: >>> >>> 36886. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file >>> open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887. >>> 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr >>> unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05 >>> ps unconfined_u:system_r:passenger_t:s0 2 dir search >>> unconfined_u:system_r:initrc_t:s0 denied 1928 >>> >>> It happens when Passenger v3 tries to determine memory stats with "ps". >>> There is an Apache directive to turn it of ( >>> >>> http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMemoryLimit >>> >>> > ), unfortunately it does not work in community version of Passenger. >>> >>> The cause is always ps running as passenger_t trying to read files in >>> /proc with various types of security context. >>> >>> Thank you, IgnasR _______________________________________________ CentOS >>> mailing list CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos >>> > >> Hello IgnasR I think that you've posted to the wrong list. The app server >> support list is here >> https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan >> Walsh is a great place to start with SELinux >> http://people.redhat.com/dwalsh/ SElinux by example takes a great theory >> and hands on approach >> http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694 > >> All the best Paul > > domain_read_all_domains_state(passenger_t) # This is what RHEL6.4 has > > Or > > domain_dontaudit_read_all_domains_state(passenger_t) Thank you very much, solved. *** [root at c01 ps]# cat i-passenger-ps-sepolicy.te policy_module(i-passenger-ps,1.0.0) gen_require(` type passenger_t; ') domain_read_all_domains_state(passenger_t) *** Source: http://danwalsh.livejournal.com/51435.html > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >