Re: Selinux error help - continued

[Stephen Smalley <sds tycho nsa gov>]

On Thu, 2007-02-08 at 13:55 -0500, Stephen Smalley wrote:
> On Thu, 2007-02-08 at 17:11 +0000, Dan Track wrote:
> > Ok I just ran your strace and I got two files that contain the getsid
> > call. Not sure how to read where the pid is so I'll past a portion of
> > the file incase you can read it better than me.
> 
> It is the argument to getsid, i.e. the number in parentheses.
> 
> > The other strange thing is that I'm not getting any more selinux
> > notifications (SYSCALL) since issuing your chcon command. There are no
> > httpd violations. Should I back out the chcon to get the errors back?
> 
> The selinux notifications are actually the AVC messages; the SYSCALL
> records are generated by the audit system if you have system call
> auditing enabled when a system call exits if any AVC messages were
> emitted during the system call.  The SYSCALL records are helpful in
> providing more information, but aren't fundamental to SELinux.
> 
> <snip>
> > getsid(26060)                           = 26059
> 
> So it tried to call getsid() on process 26060, and got 26059 as the
> session ID of that process.  So look in the traces for 26059 and 26060
> to see what those processes were.

Actually, you won't have traces for those processes since they weren't
descendants of httpd (since they were unconfined_t, thereby triggering
this getsession avc message in the first place).  But we can actually
infer what the process was from the rest of your trace output - if you
look at your trace, you'll see that it opened /var/run/yule.pid shortly
before calling getsid.    Thus, it is likely trying to check up on the
separate yule daemon process.  Which is likely running in unconfined_t
on your machine.

-- 
Stephen Smalley
National Security Agency