ignasr at vault13.lt
2013-Mar-27 13:09 UTC
[CentOS] silencing Passenger "ps" SELinux errors
Hello, how do people cope with constant SELinux errors like this from Fusion Passenger: 36886. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 file open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 36887. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir getattr unconfined_u:system_r:initrc_t:s0 denied 1927 36888. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 dir search unconfined_u:system_r:initrc_t:s0 denied 1928 It happens when Passenger v3 tries to determine memory stats with "ps". There is an Apache directive to turn it of ( http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMemoryLimit ), unfortunately it does not work in community version of Passenger. The cause is always ps running as passenger_t trying to read files in /proc with various types of security context. Thank you, IgnasR
On 27 March 2013 13:09, ignasr at vault13.lt <ignasr at vault13.lt> wrote:> Hello, > > how do people cope with constant SELinux errors like this from Fusion > Passenger: > > 36886. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 > file open system_u:system_r:udev_t:s0-s0:c0.c1023 denied 1922 > 36887. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 4 dir > getattr unconfined_u:system_r:initrc_t:s0 denied 1927 > 36888. 03/27/2013 14:20:05 ps unconfined_u:system_r:passenger_t:s0 2 dir > search unconfined_u:system_r:initrc_t:s0 denied 1928 > > It happens when Passenger v3 tries to determine memory stats with "ps". > There is an Apache directive to turn it of ( > > http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerMemoryLimit > ), unfortunately it does not work in community version of Passenger. > > The cause is always ps running as passenger_t trying to read files in > /proc with various types of security context. > > Thank you, > IgnasR > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Hello IgnasR I think that you've posted to the wrong list. The app server support list is here https://groups.google.com/forum/?fromgroups#!forum/phusion-passenger Dan Walsh is a great place to start with SELinux http://people.redhat.com/dwalsh/ SElinux by example takes a great theory and hands on approach http://www.amazon.com/SELinux-Example-Using-Security-Enhanced/dp/0131963694 All the best Paul -- * "I know one thing: That I know nothing"* - Socrates *"We're all explorers here"* - T S Eliot