SElinux errors about "ps"


#1

Hi,

I recently noticed some errors in /var/adm/messages :


Jan 18 05:51:05 web setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l e3ac9aa
8-b210-4a8d-802d-e1eea72f322c
Jan 18 05:51:05 web setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l e3ac9aa
8-b210-4a8d-802d-e1eea72f322c
Jan 18 06:01:09 web setroubleshoot: SELinux is preventing /bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 6ed0a9b
8-f56b-4d1f-94f3-cbbd2e596dc5
Jan 18 08:04:29 web rsyslogd-2177: imuxsock lost 202 messages from pid 16931 due to rate-limiting
Jan 18 08:04:29 web audispd: queue is full - dropping event
Jan 18 08:04:29 web audispd: queue is full - dropping event
Jan 18 08:04:29 web audispd: queue is full - dropping event
Jan 18 08:04:29 web audispd: queue is full - dropping event
Jan 18 08:04:29 web audispd: queue is full - dropping event

Lots of them, like hundreds and lots of dropped messages due to rate limiting.
After some investigation, it seems to be Piwik code doing this. In piwik/core/CliMulti/Process.php I found :


  private function isProcessStillRunning($content)
    {
        if (!$this->isSupported) {
            return true;
        }
 
        $lockedPID   = trim($content);
        $runningPIDs = explode("\n", trim( `ps -e | awk '{print $1}'` ));
 
        return !empty($lockedPID) && in_array($lockedPID, $runningPIDs);
    }

I’d rather not grant the web context permission to run “ps” on everything. So, first question, what/where/how can I unset “isSupported”? If that turns off looking through all processes then fine. But as it’s clearly trying to do it, will that have any knock on problems if the function simply returns true all the time?

Thanks,
Max


(Matthieu Napoli) #2

If you overwrite the code to force isSupported to false, then the archiving will work using HTTP requests to Piwik instead of launching sub-processes. That is slower, I don’t know by how much.

Keep in mind that if you do overwrite the code, the next update of Piwik will revert your changes. There is no configuration option to disable that part of the code.