[CentOS] selinux question

Tue Aug 21 19:35:23 UTC 2018
Daniel Walsh <dwalsh at redhat.com>

On 08/21/2018 12:27 PM, Nataraj wrote:
> I have a web application which uses sudo to invoke python scripts as the
> user under which the application runs (NO root access).  Is there any
> reason why sudo would would require sys_ptrace access for this?  I only
> get this violation intermittenly, and not with every call to sudo.
> Here's the violation:
Most likely you can just dontaudit this access.  sys_ptrace is often 
caused by processes trying to read content in /proc.
> Summary:
>
> SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown> (httpd_t).
>
> Detailed Description:
>
> SELinux denied access requested by sudo. It is not expected that this access is
> required by sudo and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:httpd_t
> Target Context                system_u:system_r:httpd_t
> Target Objects                None [ capability ]
> Source                        sudo
> Source Path                   /usr/bin/sudo
> Port                          <Unknown>
> Host                          myhost.mydomain.com
> Source RPM Packages           sudo-1.7.2p1-29.el5_10
> Target RPM Packages
> Policy RPM                    selinux-policy-2.4.6-351.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     myhost.mydomain.com
> Platform                      Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP Fri Feb
>                                24 22:06:09 UTC 2017 i686 i686
> Alert Count                   359
> First Seen                    Tue Oct  8 09:24:50 2013
> Last Seen                     Tue Aug 21 10:26:26 2018
> Local ID                      717eb9a4-cc7f-4ed1-b638-5db1a841abe4
> Line Numbers
>
> Raw Audit Messages
>
> host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc:  denied  { sys_ptrace } for  pid=8458 comm="sudo" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
>
> host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): arch=40000003 syscall=3 success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null)
>
>
> Thank You,
>
> Nataraj
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos