On Fri, 05 May 2017 23:54:20 -0500, Ian Pilcher wrote:
> I am trying to write an SELinux policy to confine a simple service that
> I have written in Python, and I'm trying to decide whether to allow or
> dontaudit various denials.
>
> To start, I've reduced my service to the simplest case:
>
> #!/usr/bin/python
>
> import sys
>
> sys.exit()
>
> Running this program in a confined domain generated the following
> denial:
>
> avc: denied { read } for pid=2024 comm="denatc" name="meminfo"
> dev="proc" ino=4026532028 scontext=system_u:system_r:denatc_t:s0
> tcontext=system_u:object_r:proc_t:s0 tclass=file
>
> The program does continue on and exit cleanly, so it doesn't seem to
> strictly require the access.
>
> Does anyone know why Python is trying to access this file, or what
> functionality I might be missing if I don't allow the access?
The obvious answer is Python is checking to see if there is
enough ram and/or stack space. I'm not sure why the access
was denied tho. Something here might be of help...
https://lists.gt.net/gentoo/hardened/259011
--
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!
--
https://mail.python.org/mailman/listinfo/python-list
