Hi..
On Fedora 5 with SElinux, typing 'fuser /some/file' gives a screen-full of error messages:
...
Cannot stat file /proc/27571/fd/10: Permission denied
Cannot stat file /proc/27590/fd/0: Permission denied
Cannot stat file /proc/27590/fd/1: Permission denied
Cannot stat file /proc/27590/fd/2: Permission denied
Cannot stat file /proc/27590/fd/3: Permission denied
Cannot stat file /proc/27590/fd/4: Permission denied
Cannot stat file /proc/27590/fd/5: Permission denied
Cannot stat file /proc/31521/fd/0: Permission denied
Cannot stat file /proc/31521/fd/1: Permission denied
...
followed by the normal (correct?) output.
If I type 'setenforce 0', the error messages go away.
My usual solution (using audit2allow) isn't helping, as there are no messages showing up in /var/log/audit/audit.log relating to this.
Thanks!
kernel-[0]-pkts.ca
Anonymous
Logged In: YES
user_id=21630
Originator: NO
Hello,
Can you tell me if you should be able to stat this file? In other words is the process fuser is stat()ing files for a process you own? In your example the process ID is 27571 and 27590.
Can you re-run fuser on something and then type
ls -l /proc/<pid>/fd
So for your previous example it would be
ls -l /proc/27571/fd
Thanks,
Craig
The problem is that your setup is permitting an opendir() on the /proc/<pid>/fd directory but it doesn't permit a stat() on any of the files within that directory.
You need to decide, through SElinux policy, if at first a user should have access to these files and then depending on what your decision is:
a) Deny opendir() access to /proc/<PID>/fd
or
b) Allow stat() access to /proc/<PID>/fd/*
Case (a) is what happens if a normal user tries to look at another users process
Case (b) is for your own process
What was happening with your setup was a strange blend of the two and fuser was rightly confused.