From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 03 Jul 2012 19:55:24 +0200 Subject: [refpolicy] CentOS-6.2 /bin/ps selinux avc In-Reply-To: <1341335186.27158.17.camel@x220.mydomain.internal> References: <324b2c95809ab9989dfc232b1a208473.squirrel@webmail.harte-lyne.ca> <1341335127.27158.16.camel@x220.mydomain.internal> <1341335186.27158.17.camel@x220.mydomain.internal> Message-ID: <1341338124.27158.25.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-07-03 at 19:06 +0200, Dominick Grift wrote: > On Tue, 2012-07-03 at 19:05 +0200, Dominick Grift wrote: > > On Tue, 2012-07-03 at 11:54 -0400, James B. Byrne wrote: > > > OS = CentOS-6.2 (RHEL6) > > > > > > I have just noticed a large number of similar selinux entries in the > > > syslog on one of our hosts: > > > > > > Jul 3 11:30:05 inet09 setroubleshoot: SELinux is preventing /bin/ps > > > from search access on the directory 1180. For complete SELinux > > > messages. run sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f > > > > > > # sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f > > > SELinux is preventing /bin/ps from search access on the directory 1180. > > > > > > ***** Plugin catchall (100. confidence) suggests ******************* > > > > > > If you believe that ps should be allowed search access on the 1180 > > > directory by default. Then you should report this as a bug. > > > You can generate a local policy module to allow this access. > > > Do allow this access for now by executing: > > > # grep ps /var/log/audit/audit.log | audit2allow -M mypol > > > # semodule -i mypol.pp > > > > > > > > > # ls -Zd /proc/1180 > > > dr-xr-xr-x. root root system_u:system_r:restorecond_t:s0 /proc/1180 > > > > > > # grep ps /var/log/audit/audit.log | audit2allow > > > > > > > > > #============= httpd_sys_script_t ============== > > > allow httpd_sys_script_t chkpwd_t:dir getattr; > > > allow httpd_sys_script_t fsadm_t:dir { getattr search }; > > > allow httpd_sys_script_t fsadm_t:file { read open }; > > > allow httpd_sys_script_t ifconfig_t:dir { getattr search }; > > > allow httpd_sys_script_t ifconfig_t:file { read open }; > > > allow httpd_sys_script_t logrotate_t:dir { getattr search }; > > > allow httpd_sys_script_t logrotate_t:file { read open }; > > > allow httpd_sys_script_t logwatch_mail_t:dir { getattr search }; > > > allow httpd_sys_script_t logwatch_mail_t:file { read open }; > > > allow httpd_sys_script_t logwatch_t:dir { getattr search }; > > > allow httpd_sys_script_t logwatch_t:file { read open }; > > > allow httpd_sys_script_t postfix_local_t:dir { getattr search }; > > > allow httpd_sys_script_t postfix_local_t:file { read open }; > > > allow httpd_sys_script_t postfix_postdrop_t:dir { getattr search }; > > > allow httpd_sys_script_t postfix_postdrop_t:file { read open }; > > > allow httpd_sys_script_t postfix_smtpd_t:dir { getattr search }; > > > allow httpd_sys_script_t postfix_smtpd_t:file { read open }; > > > allow httpd_sys_script_t restorecond_t:dir { getattr search }; > > > allow httpd_sys_script_t restorecond_t:file { read open }; > > > allow httpd_sys_script_t rpm_script_t:dir { getattr search }; > > > allow httpd_sys_script_t rpm_script_t:file { read open }; > > > allow httpd_sys_script_t rpm_t:dir { getattr search }; > > > allow httpd_sys_script_t rpm_t:file { read open }; > > > allow httpd_sys_script_t system_cronjob_t:dir { getattr search }; > > > allow httpd_sys_script_t system_cronjob_t:file { read open }; > > > allow httpd_sys_script_t system_mail_t:dir { getattr search }; > > > allow httpd_sys_script_t system_mail_t:file { read open }; > > > allow httpd_sys_script_t unconfined_mount_t:dir { getattr search }; > > > allow httpd_sys_script_t unconfined_mount_t:file { read open }; > > > allow httpd_sys_script_t unconfined_sendmail_t:dir { getattr search }; > > > allow httpd_sys_script_t unconfined_sendmail_t:file { read open }; > > > > > > > > > This happens to be the one host that we have SELinux set to > > > permissive, due to the presence of the Passenger Apache module. We > > > also use the Webmin web based system administration tool on that > > > system. > > > > > > I would appreciate any insights at to what these messages mean; what > > > is causing them; and whether producing a local policy as suggested is > > > recommended. It seems to me that building a custom policy for an > > > ephemeral /proc directory is a waste of time but I have been wrong > > > before. > > > > > Your cgi webapp runs ps, this causes ps to attempt to create state files > read i mean. > > > in /proc and selinux is blocking this because generic webapps do not > > need this access. > > > > You can allow your generic webapps domain to read all state files: ( not > > recommended as it will affect all apps running in the generic webapp > > domain ) > > > > mkdir ~/myapache; cd ~/myapache; echo "policy_module(myapache, 1.0.0) > > optional_policy(\` gen_require(\` type httpd_sys_script_t; ') > > domain_read_all_domains_state(httpd_sys_script_t)')" > myapache.te; make > > -f /usr/share/selinux/devel/Makefile myapache.pp; sudo semodule -i > > myapache.pp > > > > Alternatively you can create a tailored webapp domain for this > > particular script ( recommended ) > > > > mkdir ~/mywebapp; cd ~/mywebapp; echo "policy_module(mywebapp, 1.0.0) > > optional_policy(\` apache_content_template(mywebapp) > > domain_read_all_domains_state(httpd_mywebapp_script_t)')" > mywebapp.te; > > echo "/var/www/cgi-bin/mywebapp.pl -- > > gen_context(system_u:object_r:httpd_mywebapp_script_exec_t,s0)" > > > mywebapp.fc; make -f /usr/share/selinux/devel/Makefile mywebapp.pp; sudo > > semodule -i mywebapp.pp; restorecon -v /var/www/cgi-bin/mywebapp.pl > > > > > > > > By the way this most likely doesnt belong on this maillist as i doubt reference policy even supports this passenger stuff. Best bet is to just file a report at bugzilla.redhat.com