From: byrnejb@harte-lyne.ca (James B. Byrne)
Date: Tue, 3 Jul 2012 11:54:03 -0400
Subject: [refpolicy] CentOS-6.2 /bin/ps selinux avc
Message-ID: <324b2c95809ab9989dfc232b1a208473.squirrel@webmail.harte-lyne.ca>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

OS = CentOS-6.2 (RHEL6)

I have just noticed a large number of similar selinux entries in the
syslog on one of our hosts:

Jul  3 11:30:05 inet09 setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 1180. For complete SELinux
messages. run sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f

# sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
SELinux is preventing /bin/ps from search access on the directory 1180.

*****  Plugin catchall (100. confidence) suggests  *******************

If you believe that ps should be allowed search access on the 1180
directory by default. Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:
# grep ps /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


# ls -Zd /proc/1180
dr-xr-xr-x. root root system_u:system_r:restorecond_t:s0 /proc/1180

# grep ps /var/log/audit/audit.log | audit2allow


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t chkpwd_t:dir getattr;
allow httpd_sys_script_t fsadm_t:dir { getattr search };
allow httpd_sys_script_t fsadm_t:file { read open };
allow httpd_sys_script_t ifconfig_t:dir { getattr search };
allow httpd_sys_script_t ifconfig_t:file { read open };
allow httpd_sys_script_t logrotate_t:dir { getattr search };
allow httpd_sys_script_t logrotate_t:file { read open };
allow httpd_sys_script_t logwatch_mail_t:dir { getattr search };
allow httpd_sys_script_t logwatch_mail_t:file { read open };
allow httpd_sys_script_t logwatch_t:dir { getattr search };
allow httpd_sys_script_t logwatch_t:file { read open };
allow httpd_sys_script_t postfix_local_t:dir { getattr search };
allow httpd_sys_script_t postfix_local_t:file { read open };
allow httpd_sys_script_t postfix_postdrop_t:dir { getattr search };
allow httpd_sys_script_t postfix_postdrop_t:file { read open };
allow httpd_sys_script_t postfix_smtpd_t:dir { getattr search };
allow httpd_sys_script_t postfix_smtpd_t:file { read open };
allow httpd_sys_script_t restorecond_t:dir { getattr search };
allow httpd_sys_script_t restorecond_t:file { read open };
allow httpd_sys_script_t rpm_script_t:dir { getattr search };
allow httpd_sys_script_t rpm_script_t:file { read open };
allow httpd_sys_script_t rpm_t:dir { getattr search };
allow httpd_sys_script_t rpm_t:file { read open };
allow httpd_sys_script_t system_cronjob_t:dir { getattr search };
allow httpd_sys_script_t system_cronjob_t:file { read open };
allow httpd_sys_script_t system_mail_t:dir { getattr search };
allow httpd_sys_script_t system_mail_t:file { read open };
allow httpd_sys_script_t unconfined_mount_t:dir { getattr search };
allow httpd_sys_script_t unconfined_mount_t:file { read open };
allow httpd_sys_script_t unconfined_sendmail_t:dir { getattr search };
allow httpd_sys_script_t unconfined_sendmail_t:file { read open };


This happens to be the one host that we have SELinux set to
permissive, due to the presence of the Passenger Apache module.  We
also use the Webmin web based system administration tool on that
system.

I would appreciate any insights at to what these messages mean; what
is causing them; and whether producing a local policy as suggested is
recommended.  It seems to me that building a custom policy for an
ephemeral /proc directory is a waste of time but I have been wrong
before.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3