From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue, 03 Jul 2012 19:06:26 +0200
Subject: [refpolicy] CentOS-6.2 /bin/ps selinux avc
In-Reply-To: <1341335127.27158.16.camel@x220.mydomain.internal>
References: <324b2c95809ab9989dfc232b1a208473.squirrel@webmail.harte-lyne.ca>
	<1341335127.27158.16.camel@x220.mydomain.internal>
Message-ID: <1341335186.27158.17.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2012-07-03 at 19:05 +0200, Dominick Grift wrote:
> On Tue, 2012-07-03 at 11:54 -0400, James B. Byrne wrote:
> > OS = CentOS-6.2 (RHEL6)
> > 
> > I have just noticed a large number of similar selinux entries in the
> > syslog on one of our hosts:
> > 
> > Jul  3 11:30:05 inet09 setroubleshoot: SELinux is preventing /bin/ps
> > from search access on the directory 1180. For complete SELinux
> > messages. run sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
> > 
> > # sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
> > SELinux is preventing /bin/ps from search access on the directory 1180.
> > 
> > *****  Plugin catchall (100. confidence) suggests  *******************
> > 
> > If you believe that ps should be allowed search access on the 1180
> > directory by default. Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do allow this access for now by executing:
> > # grep ps /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> > 
> > 
> > # ls -Zd /proc/1180
> > dr-xr-xr-x. root root system_u:system_r:restorecond_t:s0 /proc/1180
> > 
> > # grep ps /var/log/audit/audit.log | audit2allow
> > 
> > 
> > #============= httpd_sys_script_t ==============
> > allow httpd_sys_script_t chkpwd_t:dir getattr;
> > allow httpd_sys_script_t fsadm_t:dir { getattr search };
> > allow httpd_sys_script_t fsadm_t:file { read open };
> > allow httpd_sys_script_t ifconfig_t:dir { getattr search };
> > allow httpd_sys_script_t ifconfig_t:file { read open };
> > allow httpd_sys_script_t logrotate_t:dir { getattr search };
> > allow httpd_sys_script_t logrotate_t:file { read open };
> > allow httpd_sys_script_t logwatch_mail_t:dir { getattr search };
> > allow httpd_sys_script_t logwatch_mail_t:file { read open };
> > allow httpd_sys_script_t logwatch_t:dir { getattr search };
> > allow httpd_sys_script_t logwatch_t:file { read open };
> > allow httpd_sys_script_t postfix_local_t:dir { getattr search };
> > allow httpd_sys_script_t postfix_local_t:file { read open };
> > allow httpd_sys_script_t postfix_postdrop_t:dir { getattr search };
> > allow httpd_sys_script_t postfix_postdrop_t:file { read open };
> > allow httpd_sys_script_t postfix_smtpd_t:dir { getattr search };
> > allow httpd_sys_script_t postfix_smtpd_t:file { read open };
> > allow httpd_sys_script_t restorecond_t:dir { getattr search };
> > allow httpd_sys_script_t restorecond_t:file { read open };
> > allow httpd_sys_script_t rpm_script_t:dir { getattr search };
> > allow httpd_sys_script_t rpm_script_t:file { read open };
> > allow httpd_sys_script_t rpm_t:dir { getattr search };
> > allow httpd_sys_script_t rpm_t:file { read open };
> > allow httpd_sys_script_t system_cronjob_t:dir { getattr search };
> > allow httpd_sys_script_t system_cronjob_t:file { read open };
> > allow httpd_sys_script_t system_mail_t:dir { getattr search };
> > allow httpd_sys_script_t system_mail_t:file { read open };
> > allow httpd_sys_script_t unconfined_mount_t:dir { getattr search };
> > allow httpd_sys_script_t unconfined_mount_t:file { read open };
> > allow httpd_sys_script_t unconfined_sendmail_t:dir { getattr search };
> > allow httpd_sys_script_t unconfined_sendmail_t:file { read open };
> > 
> > 
> > This happens to be the one host that we have SELinux set to
> > permissive, due to the presence of the Passenger Apache module.  We
> > also use the Webmin web based system administration tool on that
> > system.
> > 
> > I would appreciate any insights at to what these messages mean; what
> > is causing them; and whether producing a local policy as suggested is
> > recommended.  It seems to me that building a custom policy for an
> > ephemeral /proc directory is a waste of time but I have been wrong
> > before.
> > 
> Your cgi webapp runs ps, this causes ps to attempt to create state files
read i mean.

> in /proc and selinux is blocking this because generic webapps do not
> need this access.
> 
> You can allow your generic webapps domain to read all state files: ( not
> recommended as it will affect all apps running in the generic webapp
> domain )
> 
> mkdir ~/myapache; cd ~/myapache; echo "policy_module(myapache, 1.0.0)
> optional_policy(\`  gen_require(\` type httpd_sys_script_t; ')
> domain_read_all_domains_state(httpd_sys_script_t)')" > myapache.te; make
> -f /usr/share/selinux/devel/Makefile myapache.pp; sudo semodule -i
> myapache.pp
> 
> Alternatively you can create a tailored webapp domain for this
> particular script ( recommended )
> 
> mkdir ~/mywebapp; cd ~/mywebapp; echo "policy_module(mywebapp, 1.0.0)
> optional_policy(\` apache_content_template(mywebapp)
> domain_read_all_domains_state(httpd_mywebapp_script_t)')" > mywebapp.te;
> echo "/var/www/cgi-bin/mywebapp.pl --
> gen_context(system_u:object_r:httpd_mywebapp_script_exec_t,s0)" >
> mywebapp.fc; make -f /usr/share/selinux/devel/Makefile mywebapp.pp; sudo
> semodule -i mywebapp.pp; restorecon -v /var/www/cgi-bin/mywebapp.pl
> 
>  
>