Project

General

Profile

Actions
Copy link

Bug #4458

closed

AVC denials aboutname="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Added by Jan Pazdziora almost 11 years ago. Updated almost 11 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Installing Foreman nightly from

baseurl=http://yum.theforeman.org/nightly/el6/$basearch

on RHEL 6.5 causes AVC denials to eventually show up in the audit.log:

type=AVC msg=audit(1393403231.005:232): avc:  denied  { search } for  pid=23349 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1393403231.005:232): avc:  denied  { read } for  pid=23349 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1393403231.005:232): avc:  denied  { open } for  pid=23349 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1393403409.342:248): avc:  denied  { search } for  pid=23695 comm="PassengerHelper" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1393403409.342:248): avc:  denied  { read } for  pid=23695 comm="PassengerHelper" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1393403409.342:248): avc:  denied  { open } for  pid=23695 comm="PassengerHelper" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

The file (path) in question is /sys/devices/system/cpu/online.

Related issues 1 (0 open1 closed)

Is duplicate of SELinux - Bug #3465: AVC denials with Foreman 1.3 on RHEL 6ClosedLukas Zapletal10/22/2013Actions
Actions
Copy link
 #1

Updated by Lukas Zapletal almost 11 years ago

  • Category set to 56

Thanks. It looks like we need to open access to sysfs domain, but I can't find WHY it tries to read this file.

It looks like both agent and memory-stats processes are using "ps" tool to get some info about CPU:

https://github.com/phusion/passenger/blob/master/ext/common/Utils/ProcessMetricsCollector.h#L474

https://github.com/phusion/passenger/blob/master/lib/phusion_passenger/admin_tools/memory_stats.rb#L217-L278

But I don't see any leaked descriptors or anything like that (when I run it manually):

open("/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 3
read(3, "0-3\n", 8192)                  = 4
close(3)                                = 0
Actions
Copy link
 #2

Updated by Dominic Cleal almost 11 years ago

  • Is duplicate of Bug #3465: AVC denials with Foreman 1.3 on RHEL 6 added
Actions
Copy link
 #3

Updated by Dominic Cleal almost 11 years ago

  • Project changed from Foreman to SELinux
  • Category deleted (56)
  • Status changed from New to Duplicate

Looks the same as #3465.

Actions
Copy link
 #4

Updated by Lukas Zapletal almost 11 years ago

Ok I guess we need to add the following rules:

allow passenger_t sysfs_t:dir search;
allow passenger_t sysfs_t:file { read open };
Actions
Copy link

Also available in: Atom PDF