Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: /proc {getattr} failures: msg#00158
|
Subject: |
Re: /proc {getattr} failures |
On Monday 23 May 2005 11:42, "James Z. Li" <james.zheng.li@xxxxxxxxx> wrote:
> targeted policy on FC3
>
> /var/log/messages show lots of avcs:
> May 22 20:54:42 bengal kernel: audit(1116809682.160:0): avc: denied
> { getattr } for pid=2733 exe=/bin/ps path=/proc/1 dev=proc ino=65538
> scontext=user_u:system_r:httpd_sys_script_t
> tcontext=user_u:system_r:unconfined_t tclass=dir
> ...
> May 22 20:54:42 bengal kernel: audit(1116809682.171:0): avc: denied
> { getattr } for pid=2733 exe=/bin/ps path=/proc/2660 dev=proc
> ino=174325762 scontext=user_u:system_r:httpd_sys_script_t
> tcontext=root:system_r:unconfined_t tclass=dir
>
> 'audit2allow' generates this rule in local.te
> allow httpd_sys_script_t unconfined_t:dir { getattr };
CGI-BIN scripts have no need to know anything about init or to see it in ps
output.
The output of audit2allow does not need to be put directly into the policy,
you can also change the "allow" key word to "dontaudit" if it seems
appropriate. In this situation the program in question does not need such
access, should not be given such access, and a "dontaudit" rule will remove
the annoying log entries.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
|
| |
