/proc {getattr} failures
James Z. Li
james.zheng.li at gmail.com
Mon May 23 01:42:17 UTC 2005
targeted policy on FC3
/var/log/messages show lots of avcs:
May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc: denied
{ getattr } for pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:system_r:unconfined_t tclass=dir
...
May 22 20:54:42 bengal kernel: audit(1116809682.171:0): avc: denied
{ getattr } for pid=2733 exe=/bin/ps path=/proc/2660 dev=proc
ino=174325762 scontext=user_u:system_r:httpd_sys_script_t
tcontext=root:system_r:unconfined_t tclass=dir
'audit2allow' generates this rule in local.te
allow httpd_sys_script_t unconfined_t:dir { getattr };
'make load' shows the assertion error message
Assertion on line 17328 violated by allow httpd_sys_script_t
unconfined_t:dir { getattr };
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
Then I learned that /proc, /selinux, and /sys do not have persistent
labels. What should
I do to solve this problem? Remove that assertion check?
Btw, anyone has a policy file for Gallery (gallery.sourceforge.net) with httpd?
Thanks a lot!
More information about the fedora-selinux-list
mailing list