search for: sys_ptrac

I have a web application which uses sudo to invoke python scripts as the user under which the application runs (NO root access).? Is there any reason why sudo would would require sys_ptrace access for this?? I only get this violation intermittenly, and not with every call to sudo.? Here's the violation: Summary: SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown> (httpd_t). Detailed Description: SELinux denied access requested by sudo. It is not exp...

...e { type bin_t; type devpts_t; type httpd_t; type passenger_t; type port_t; type proc_net_t; class process { getattr siginh setexec sigchld noatsecure transition rlimitinh }; class unix_stream_socket { getattr accept read write }; class capability { sys_resource sys_ptrace }; class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink }; class lnk_file { getattr read }; class udp_socket name_bind; class dir { getattr setattr add_name remove_name search open read write ioctl lock }; } #===...

...ps data and other python scripts used by other functions in the app). Could be that I'm not seeing something, but this approach seems sensible to me, though I could be convinced otherwise if I could see where running the php as the app users, would make more sense. It could be that giving sudo sys_ptrace access could increase the risk to the security of the system, but giving the php code app user access, increases the risk of data compromise in the app. Thank You, Nataraj

...ty. Regardless of the exact method, this lets you run your PHP code as a non-php user, letting Apache proxy to it using mod_fcgi. Now you?ve got strong separation between things Apache is allowed to read and things it must talk down through PHP to get access to. > It could be that giving sudo sys_ptrace access could increase the risk to the security of the system Once you give a process ptrace ability, it?s pretty much game over when it comes to security. The scope of what one process can do to another via ptrace(2) is HUUUUGE. I?d very much resist placating SELinux in this way. SELinux might...