[CentOS] silencing Passenger "ps" SELinux errors

Thu Mar 28 08:12:45 UTC 2013
ignasr at vault13.lt <ignasr at vault13.lt>

On 2013.03.27 16:59, Daniel J Walsh wrote:
> On 03/27/2013 10:01 AM, Paul Norton wrote:
>> On 27 March 2013 13:09, ignasr at vault13.lt <ignasr at vault13.lt> wrote:
>
>>> Hello,
>>>
>>> how do people cope with constant SELinux errors like this from Fusion
>>> Passenger:
>>>
>>> 36886. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file
>>> open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887.
>>> 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr
>>> unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05
>>> ps unconfined_u:system_r:passenger_t:s0 2 dir search
>>> unconfined_u:system_r:initrc_t:s0 denied 1928
>>>
>>> It happens when Passenger v3 tries to determine memory stats with "ps".
>>> There is an Apache directive to turn it of (
>>>
>>> http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMemoryLimit
>>>
>>>
> ), unfortunately it does not work in community version of Passenger.
>>>
>>> The cause is always ps running as passenger_t trying to read files in
>>> /proc with various types of security context.
>>>
>>> Thank you, IgnasR _______________________________________________ CentOS
>>> mailing list CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>
>> Hello IgnasR I think that you've posted to the wrong list. The app server
>> support list is here
>> https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan
>> Walsh is a great place to start with SELinux
>> http://people.redhat.com/dwalsh/ SElinux by example takes a great theory
>> and hands on approach
>> http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694
>
>>   All the best Paul
>
> domain_read_all_domains_state(passenger_t)  # This is what RHEL6.4 has
>
> Or
>
> domain_dontaudit_read_all_domains_state(passenger_t)

Thank you very much, solved.

***
[root at c01 ps]# cat i-passenger-ps-sepolicy.te

policy_module(i-passenger-ps,1.0.0)
gen_require(`
         type passenger_t;
')
domain_read_all_domains_state(passenger_t)
***

Source: http://danwalsh.livejournal.com/51435.html


> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>