Displaying 4 results from an estimated 4 matches for "sys_ptrace".
2018 Aug 21
5
selinux question
I have a web application which uses sudo to invoke python scripts as the
user under which the application runs (NO root access).? Is there any
reason why sudo would would require sys_ptrace access for this?? I only
get this violation intermittenly, and not with every call to sudo.?
Here's the violation:
Summary:
SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown> (httpd_t).
Detailed Description:
SELinux denied access requested by sudo. It is not expe...
2012 Jun 15
1
Puppet + Passenger SELinux issues
...e {
type bin_t;
type devpts_t;
type httpd_t;
type passenger_t;
type port_t;
type proc_net_t;
class process { getattr siginh setexec sigchld noatsecure transition
rlimitinh };
class unix_stream_socket { getattr accept read write };
class capability { sys_resource sys_ptrace };
class file { entrypoint open create relabelfrom relabelto getattr
setattr read write append ioctl lock rename link unlink };
class lnk_file { getattr read };
class udp_socket name_bind;
class dir { getattr setattr add_name remove_name search open read write
ioctl lock };
}
#====...
2018 Aug 21
2
selinux question
...ps data and other python scripts used by other functions in the app). Could be that I'm not seeing something, but this approach seems sensible to me, though I could be convinced otherwise if I could see where running the php as the app users, would make more sense.
It could be that giving sudo sys_ptrace access could increase the risk to the security of the system, but giving the php code app user access, increases the risk of data compromise in the app.
Thank You,
Nataraj
2018 Aug 22
0
selinux question
...ty.
Regardless of the exact method, this lets you run your PHP code as a non-php user, letting Apache proxy to it using mod_fcgi. Now you?ve got strong separation between things Apache is allowed to read and things it must talk down through PHP to get access to.
> It could be that giving sudo sys_ptrace access could increase the risk to the security of the system
Once you give a process ptrace ability, it?s pretty much game over when it comes to security. The scope of what one process can do to another via ptrace(2) is HUUUUGE. I?d very much resist placating SELinux in this way.
SELinux might...