[CentOS] silencing Passenger "ps" SELinux errors

Wed Mar 27 14:59:22 UTC 2013
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/27/2013 10:01 AM, Paul Norton wrote:
> On 27 March 2013 13:09, ignasr at vault13.lt <ignasr at vault13.lt> wrote:
> 
>> Hello,
>> 
>> how do people cope with constant SELinux errors like this from Fusion 
>> Passenger:
>> 
>> 36886. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file
>> open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887.
>> 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr
>> unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05
>> ps unconfined_u:system_r:passenger_t:s0 2 dir search
>> unconfined_u:system_r:initrc_t:s0 denied 1928
>> 
>> It happens when Passenger v3 tries to determine memory stats with "ps". 
>> There is an Apache directive to turn it of (
>> 
>> http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMemoryLimit
>>
>> 
), unfortunately it does not work in community version of Passenger.
>> 
>> The cause is always ps running as passenger_t trying to read files in 
>> /proc with various types of security context.
>> 
>> Thank you, IgnasR _______________________________________________ CentOS
>> mailing list CentOS at centos.org 
>> http://lists.centos.org/mailman/listinfo/centos
>> 
> 
> Hello IgnasR I think that you've posted to the wrong list. The app server
> support list is here
> https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan
> Walsh is a great place to start with SELinux 
> http://people.redhat.com/dwalsh/ SElinux by example takes a great theory
> and hands on approach 
> http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694
>
>  All the best Paul
> 
domain_read_all_domains_state(passenger_t)  # This is what RHEL6.4 has

Or

domain_dontaudit_read_all_domains_state(passenger_t)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFTCUoACgkQrlYvE4MpobPf9wCguV9djSYAK7r26ew1ieVpAzW4
JAoAoI3pzifgBS7Ojdif5SPfkkaBBcUB
=XsXb
-----END PGP SIGNATURE-----