Summary: SELinux is preventing /bin/ps "getattr" access on /proc/. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by ps. It is not expected that this access is required by ps and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:ksmtuned_t:s0-s15:c0.c1023 Target Context system_u:system_r:kernel_t:s15:c0.c1023 Target Objects /proc/<pid> [ dir ] Source ps Source Path /bin/ps Port <Unknown> Host (removed) Source RPM Packages procps-3.2.8-3.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-116.fc12 Selinux Enabled True Policy Type mls Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30 19:46:25 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Dydd Sul 20 mis Mehefin 2010 19:31:17 BST Last Seen Dydd Sul 20 mis Mehefin 2010 19:31:17 BST Local ID f13edb3b-0edb-4ffe-9a38-041322dfd31f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277058677.641:5141): avc: denied { getattr } for pid=27719 comm="ps" path="/proc/2" dev=proc ino=9128 scontext=system_u:system_r:ksmtuned_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir node=(removed) type=SYSCALL msg=audit(1277058677.641:5141): arch=c000003e syscall=4 success=yes exit=0 a0=e69070 a1=35fc411ca0 a2=35fc411ca0 a3=e69076 items=0 ppid=27718 pid=27719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=system_u:system_r:ksmtuned_t:s0-s15:c0.c1023 key=(null) Hash String generated from catchall,ps,ksmtuned_t,kernel_t,dir,getattr audit2allow suggests: #============= ksmtuned_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow ksmtuned_t kernel_t:dir getattr;
Are you intentionally using MLS policy?
*** This bug has been marked as a duplicate of bug 606114 ***