OS = CentOS-6.2 (RHEL6)
I have just noticed a large number of similar selinux entries in the
syslog on one of our hosts:
Jul 3 11:30:05 inet09 setroubleshoot: SELinux is preventing /bin/ps
from search access on the directory 1180. For complete SELinux
messages. run sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
# sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
SELinux is preventing /bin/ps from search access on the directory 1180.
***** Plugin catchall (100. confidence) suggests *******************
If you believe that ps should be allowed search access on the 1180
directory by default. Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:
# grep ps /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
# ls -Zd /proc/1180
dr-xr-xr-x. root root system_u:system_r:restorecond_t:s0 /proc/1180
# grep ps /var/log/audit/audit.log | audit2allow
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t chkpwd_t:dir getattr;
allow httpd_sys_script_t fsadm_t:dir { getattr search };
allow httpd_sys_script_t fsadm_t:file { read open };
allow httpd_sys_script_t ifconfig_t:dir { getattr search };
allow httpd_sys_script_t ifconfig_t:file { read open };
allow httpd_sys_script_t logrotate_t:dir { getattr search };
allow httpd_sys_script_t logrotate_t:file { read open };
allow httpd_sys_script_t logwatch_mail_t:dir { getattr search };
allow httpd_sys_script_t logwatch_mail_t:file { read open };
allow httpd_sys_script_t logwatch_t:dir { getattr search };
allow httpd_sys_script_t logwatch_t:file { read open };
allow httpd_sys_script_t postfix_local_t:dir { getattr search };
allow httpd_sys_script_t postfix_local_t:file { read open };
allow httpd_sys_script_t postfix_postdrop_t:dir { getattr search };
allow httpd_sys_script_t postfix_postdrop_t:file { read open };
allow httpd_sys_script_t postfix_smtpd_t:dir { getattr search };
allow httpd_sys_script_t postfix_smtpd_t:file { read open };
allow httpd_sys_script_t restorecond_t:dir { getattr search };
allow httpd_sys_script_t restorecond_t:file { read open };
allow httpd_sys_script_t rpm_script_t:dir { getattr search };
allow httpd_sys_script_t rpm_script_t:file { read open };
allow httpd_sys_script_t rpm_t:dir { getattr search };
allow httpd_sys_script_t rpm_t:file { read open };
allow httpd_sys_script_t system_cronjob_t:dir { getattr search };
allow httpd_sys_script_t system_cronjob_t:file { read open };
allow httpd_sys_script_t system_mail_t:dir { getattr search };
allow httpd_sys_script_t system_mail_t:file { read open };
allow httpd_sys_script_t unconfined_mount_t:dir { getattr search };
allow httpd_sys_script_t unconfined_mount_t:file { read open };
allow httpd_sys_script_t unconfined_sendmail_t:dir { getattr search };
allow httpd_sys_script_t unconfined_sendmail_t:file { read open };
This happens to be the one host that we have SELinux set to
permissive, due to the presence of the Passenger Apache module. We
also use the Webmin web based system administration tool on that
system.
I would appreciate any insights at to what these messages mean; what
is causing them; and whether producing a local policy as suggested is
recommended. It seems to me that building a custom policy for an
ephemeral /proc directory is a waste of time but I have been wrong
before.
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
On Tue, 2012-07-03 at 11:54 -0400, James B. Byrne wrote:
> OS = CentOS-6.2 (RHEL6)
>
> I have just noticed a large number of similar selinux entries in the
> syslog on one of our hosts:
>
> Jul 3 11:30:05 inet09 setroubleshoot: SELinux is preventing /bin/ps
> from search access on the directory 1180. For complete SELinux
> messages. run sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
>
> # sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
> SELinux is preventing /bin/ps from search access on the directory 1180.
>
> ***** Plugin catchall (100. confidence) suggests *******************
>
> If you believe that ps should be allowed search access on the 1180
> directory by default. Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do allow this access for now by executing:
> # grep ps /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> # ls -Zd /proc/1180
> dr-xr-xr-x. root root system_u:system_r:restorecond_t:s0 /proc/1180
>
> # grep ps /var/log/audit/audit.log | audit2allow
>
>
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t chkpwd_t:dir getattr;
> allow httpd_sys_script_t fsadm_t:dir { getattr search };
> allow httpd_sys_script_t fsadm_t:file { read open };
> allow httpd_sys_script_t ifconfig_t:dir { getattr search };
> allow httpd_sys_script_t ifconfig_t:file { read open };
> allow httpd_sys_script_t logrotate_t:dir { getattr search };
> allow httpd_sys_script_t logrotate_t:file { read open };
> allow httpd_sys_script_t logwatch_mail_t:dir { getattr search };
> allow httpd_sys_script_t logwatch_mail_t:file { read open };
> allow httpd_sys_script_t logwatch_t:dir { getattr search };
> allow httpd_sys_script_t logwatch_t:file { read open };
> allow httpd_sys_script_t postfix_local_t:dir { getattr search };
> allow httpd_sys_script_t postfix_local_t:file { read open };
> allow httpd_sys_script_t postfix_postdrop_t:dir { getattr search };
> allow httpd_sys_script_t postfix_postdrop_t:file { read open };
> allow httpd_sys_script_t postfix_smtpd_t:dir { getattr search };
> allow httpd_sys_script_t postfix_smtpd_t:file { read open };
> allow httpd_sys_script_t restorecond_t:dir { getattr search };
> allow httpd_sys_script_t restorecond_t:file { read open };
> allow httpd_sys_script_t rpm_script_t:dir { getattr search };
> allow httpd_sys_script_t rpm_script_t:file { read open };
> allow httpd_sys_script_t rpm_t:dir { getattr search };
> allow httpd_sys_script_t rpm_t:file { read open };
> allow httpd_sys_script_t system_cronjob_t:dir { getattr search };
> allow httpd_sys_script_t system_cronjob_t:file { read open };
> allow httpd_sys_script_t system_mail_t:dir { getattr search };
> allow httpd_sys_script_t system_mail_t:file { read open };
> allow httpd_sys_script_t unconfined_mount_t:dir { getattr search };
> allow httpd_sys_script_t unconfined_mount_t:file { read open };
> allow httpd_sys_script_t unconfined_sendmail_t:dir { getattr search };
> allow httpd_sys_script_t unconfined_sendmail_t:file { read open };
>
>
> This happens to be the one host that we have SELinux set to
> permissive, due to the presence of the Passenger Apache module. We
> also use the Webmin web based system administration tool on that
> system.
>
> I would appreciate any insights at to what these messages mean; what
> is causing them; and whether producing a local policy as suggested is
> recommended. It seems to me that building a custom policy for an
> ephemeral /proc directory is a waste of time but I have been wrong
> before.
>
Your cgi webapp runs ps, this causes ps to attempt to create state files
in /proc and selinux is blocking this because generic webapps do not
need this access.
You can allow your generic webapps domain to read all state files: ( not
recommended as it will affect all apps running in the generic webapp
domain )
mkdir ~/myapache; cd ~/myapache; echo "policy_module(myapache, 1.0.0)
optional_policy(\` gen_require(\` type httpd_sys_script_t; ')
domain_read_all_domains_state(httpd_sys_script_t)')" > myapache.te; make
-f /usr/share/selinux/devel/Makefile myapache.pp; sudo semodule -i
myapache.pp
Alternatively you can create a tailored webapp domain for this
particular script ( recommended )
mkdir ~/mywebapp; cd ~/mywebapp; echo "policy_module(mywebapp, 1.0.0)
optional_policy(\` apache_content_template(mywebapp)
domain_read_all_domains_state(httpd_mywebapp_script_t)')" > mywebapp.te;
echo "/var/www/cgi-bin/mywebapp.pl --
gen_context(system_u:object_r:httpd_mywebapp_script_exec_t,s0)" >
mywebapp.fc; make -f /usr/share/selinux/devel/Makefile mywebapp.pp; sudo
semodule -i mywebapp.pp; restorecon -v /var/www/cgi-bin/mywebapp.pl
On Tue, 2012-07-03 at 19:05 +0200, Dominick Grift wrote:
> On Tue, 2012-07-03 at 11:54 -0400, James B. Byrne wrote:
> > OS = CentOS-6.2 (RHEL6)
> >
> > I have just noticed a large number of similar selinux entries in the
> > syslog on one of our hosts:
> >
> > Jul 3 11:30:05 inet09 setroubleshoot: SELinux is preventing /bin/ps
> > from search access on the directory 1180. For complete SELinux
> > messages. run sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
> >
> > # sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
> > SELinux is preventing /bin/ps from search access on the directory 1180.
> >
> > ***** Plugin catchall (100. confidence) suggests *******************
> >
> > If you believe that ps should be allowed search access on the 1180
> > directory by default. Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do allow this access for now by executing:
> > # grep ps /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> >
> > # ls -Zd /proc/1180
> > dr-xr-xr-x. root root system_u:system_r:restorecond_t:s0 /proc/1180
> >
> > # grep ps /var/log/audit/audit.log | audit2allow
> >
> >
> > #============= httpd_sys_script_t ==============
> > allow httpd_sys_script_t chkpwd_t:dir getattr;
> > allow httpd_sys_script_t fsadm_t:dir { getattr search };
> > allow httpd_sys_script_t fsadm_t:file { read open };
> > allow httpd_sys_script_t ifconfig_t:dir { getattr search };
> > allow httpd_sys_script_t ifconfig_t:file { read open };
> > allow httpd_sys_script_t logrotate_t:dir { getattr search };
> > allow httpd_sys_script_t logrotate_t:file { read open };
> > allow httpd_sys_script_t logwatch_mail_t:dir { getattr search };
> > allow httpd_sys_script_t logwatch_mail_t:file { read open };
> > allow httpd_sys_script_t logwatch_t:dir { getattr search };
> > allow httpd_sys_script_t logwatch_t:file { read open };
> > allow httpd_sys_script_t postfix_local_t:dir { getattr search };
> > allow httpd_sys_script_t postfix_local_t:file { read open };
> > allow httpd_sys_script_t postfix_postdrop_t:dir { getattr search };
> > allow httpd_sys_script_t postfix_postdrop_t:file { read open };
> > allow httpd_sys_script_t postfix_smtpd_t:dir { getattr search };
> > allow httpd_sys_script_t postfix_smtpd_t:file { read open };
> > allow httpd_sys_script_t restorecond_t:dir { getattr search };
> > allow httpd_sys_script_t restorecond_t:file { read open };
> > allow httpd_sys_script_t rpm_script_t:dir { getattr search };
> > allow httpd_sys_script_t rpm_script_t:file { read open };
> > allow httpd_sys_script_t rpm_t:dir { getattr search };
> > allow httpd_sys_script_t rpm_t:file { read open };
> > allow httpd_sys_script_t system_cronjob_t:dir { getattr search };
> > allow httpd_sys_script_t system_cronjob_t:file { read open };
> > allow httpd_sys_script_t system_mail_t:dir { getattr search };
> > allow httpd_sys_script_t system_mail_t:file { read open };
> > allow httpd_sys_script_t unconfined_mount_t:dir { getattr search };
> > allow httpd_sys_script_t unconfined_mount_t:file { read open };
> > allow httpd_sys_script_t unconfined_sendmail_t:dir { getattr search };
> > allow httpd_sys_script_t unconfined_sendmail_t:file { read open };
> >
> >
> > This happens to be the one host that we have SELinux set to
> > permissive, due to the presence of the Passenger Apache module. We
> > also use the Webmin web based system administration tool on that
> > system.
> >
> > I would appreciate any insights at to what these messages mean; what
> > is causing them; and whether producing a local policy as suggested is
> > recommended. It seems to me that building a custom policy for an
> > ephemeral /proc directory is a waste of time but I have been wrong
> > before.
> >
> Your cgi webapp runs ps, this causes ps to attempt to create state files
read i mean.
> in /proc and selinux is blocking this because generic webapps do not
> need this access.
>
> You can allow your generic webapps domain to read all state files: ( not
> recommended as it will affect all apps running in the generic webapp
> domain )
>
> mkdir ~/myapache; cd ~/myapache; echo "policy_module(myapache, 1.0.0)
> optional_policy(\` gen_require(\` type httpd_sys_script_t; ')
> domain_read_all_domains_state(httpd_sys_script_t)')" > myapache.te; make
> -f /usr/share/selinux/devel/Makefile myapache.pp; sudo semodule -i
> myapache.pp
>
> Alternatively you can create a tailored webapp domain for this
> particular script ( recommended )
>
> mkdir ~/mywebapp; cd ~/mywebapp; echo "policy_module(mywebapp, 1.0.0)
> optional_policy(\` apache_content_template(mywebapp)
> domain_read_all_domains_state(httpd_mywebapp_script_t)')" > mywebapp.te;
> echo "/var/www/cgi-bin/mywebapp.pl --
> gen_context(system_u:object_r:httpd_mywebapp_script_exec_t,s0)" >
> mywebapp.fc; make -f /usr/share/selinux/devel/Makefile mywebapp.pp; sudo
> semodule -i mywebapp.pp; restorecon -v /var/www/cgi-bin/mywebapp.pl
>
>
>
On Tue, 2012-07-03 at 19:06 +0200, Dominick Grift wrote:
> On Tue, 2012-07-03 at 19:05 +0200, Dominick Grift wrote:
> > On Tue, 2012-07-03 at 11:54 -0400, James B. Byrne wrote:
> > > OS = CentOS-6.2 (RHEL6)
> > >
> > > I have just noticed a large number of similar selinux entries in the
> > > syslog on one of our hosts:
> > >
> > > Jul 3 11:30:05 inet09 setroubleshoot: SELinux is preventing /bin/ps
> > > from search access on the directory 1180. For complete SELinux
> > > messages. run sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
> > >
> > > # sealert -l f09d35d9-4dfc-4722-8ad2-f1ba2bf2442f
> > > SELinux is preventing /bin/ps from search access on the directory 1180.
> > >
> > > ***** Plugin catchall (100. confidence) suggests *******************
> > >
> > > If you believe that ps should be allowed search access on the 1180
> > > directory by default. Then you should report this as a bug.
> > > You can generate a local policy module to allow this access.
> > > Do allow this access for now by executing:
> > > # grep ps /var/log/audit/audit.log | audit2allow -M mypol
> > > # semodule -i mypol.pp
> > >
> > >
> > > # ls -Zd /proc/1180
> > > dr-xr-xr-x. root root system_u:system_r:restorecond_t:s0 /proc/1180
> > >
> > > # grep ps /var/log/audit/audit.log | audit2allow
> > >
> > >
> > > #============= httpd_sys_script_t ==============
> > > allow httpd_sys_script_t chkpwd_t:dir getattr;
> > > allow httpd_sys_script_t fsadm_t:dir { getattr search };
> > > allow httpd_sys_script_t fsadm_t:file { read open };
> > > allow httpd_sys_script_t ifconfig_t:dir { getattr search };
> > > allow httpd_sys_script_t ifconfig_t:file { read open };
> > > allow httpd_sys_script_t logrotate_t:dir { getattr search };
> > > allow httpd_sys_script_t logrotate_t:file { read open };
> > > allow httpd_sys_script_t logwatch_mail_t:dir { getattr search };
> > > allow httpd_sys_script_t logwatch_mail_t:file { read open };
> > > allow httpd_sys_script_t logwatch_t:dir { getattr search };
> > > allow httpd_sys_script_t logwatch_t:file { read open };
> > > allow httpd_sys_script_t postfix_local_t:dir { getattr search };
> > > allow httpd_sys_script_t postfix_local_t:file { read open };
> > > allow httpd_sys_script_t postfix_postdrop_t:dir { getattr search };
> > > allow httpd_sys_script_t postfix_postdrop_t:file { read open };
> > > allow httpd_sys_script_t postfix_smtpd_t:dir { getattr search };
> > > allow httpd_sys_script_t postfix_smtpd_t:file { read open };
> > > allow httpd_sys_script_t restorecond_t:dir { getattr search };
> > > allow httpd_sys_script_t restorecond_t:file { read open };
> > > allow httpd_sys_script_t rpm_script_t:dir { getattr search };
> > > allow httpd_sys_script_t rpm_script_t:file { read open };
> > > allow httpd_sys_script_t rpm_t:dir { getattr search };
> > > allow httpd_sys_script_t rpm_t:file { read open };
> > > allow httpd_sys_script_t system_cronjob_t:dir { getattr search };
> > > allow httpd_sys_script_t system_cronjob_t:file { read open };
> > > allow httpd_sys_script_t system_mail_t:dir { getattr search };
> > > allow httpd_sys_script_t system_mail_t:file { read open };
> > > allow httpd_sys_script_t unconfined_mount_t:dir { getattr search };
> > > allow httpd_sys_script_t unconfined_mount_t:file { read open };
> > > allow httpd_sys_script_t unconfined_sendmail_t:dir { getattr search };
> > > allow httpd_sys_script_t unconfined_sendmail_t:file { read open };
> > >
> > >
> > > This happens to be the one host that we have SELinux set to
> > > permissive, due to the presence of the Passenger Apache module. We
> > > also use the Webmin web based system administration tool on that
> > > system.
> > >
> > > I would appreciate any insights at to what these messages mean; what
> > > is causing them; and whether producing a local policy as suggested is
> > > recommended. It seems to me that building a custom policy for an
> > > ephemeral /proc directory is a waste of time but I have been wrong
> > > before.
> > >
> > Your cgi webapp runs ps, this causes ps to attempt to create state files
> read i mean.
>
> > in /proc and selinux is blocking this because generic webapps do not
> > need this access.
> >
> > You can allow your generic webapps domain to read all state files: ( not
> > recommended as it will affect all apps running in the generic webapp
> > domain )
> >
> > mkdir ~/myapache; cd ~/myapache; echo "policy_module(myapache, 1.0.0)
> > optional_policy(\` gen_require(\` type httpd_sys_script_t; ')
> > domain_read_all_domains_state(httpd_sys_script_t)')" > myapache.te; make
> > -f /usr/share/selinux/devel/Makefile myapache.pp; sudo semodule -i
> > myapache.pp
> >
> > Alternatively you can create a tailored webapp domain for this
> > particular script ( recommended )
> >
> > mkdir ~/mywebapp; cd ~/mywebapp; echo "policy_module(mywebapp, 1.0.0)
> > optional_policy(\` apache_content_template(mywebapp)
> > domain_read_all_domains_state(httpd_mywebapp_script_t)')" > mywebapp.te;
> > echo "/var/www/cgi-bin/mywebapp.pl --
> > gen_context(system_u:object_r:httpd_mywebapp_script_exec_t,s0)" >
> > mywebapp.fc; make -f /usr/share/selinux/devel/Makefile mywebapp.pp; sudo
> > semodule -i mywebapp.pp; restorecon -v /var/www/cgi-bin/mywebapp.pl
> >
> >
> >
>
>
By the way this most likely doesnt belong on this maillist as i doubt
reference policy even supports this passenger stuff.
Best bet is to just file a report at bugzilla.redhat.com