Bug 1202043
| Summary: | SELinux is preventing ps from using the 'sys_ptrace' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | roman <kud.rom.sh> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 21 | CC: | chrissharp123, dmarcotte1, dominick.grift, dwalsh, e.santos.maira, fredoche, jakob.janzen80, lvrabec, mark.hankins, mgrepl, olivier.sede, plautrba, plazaga, romain.rubi, sysunia40 |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:cec45f78995474867885fa5d717bc44dcc0a3bf1447806184a92e7760198f5c7 | ||
| Fixed In Version: | selinux-policy-3.13.1-105.19.fc21 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-14 15:50:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, If you want allow this, follow steps in your report: ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 *** Bug 1220962 has been marked as a duplicate of this bug. *** I have the same warning. How to know why it occured in the first place? Could a security issue have been averted? Hi, It was caused by some firefox plugin. In first place, you need to identify the right plugin and then try to analyze its behavior. In general, we don't allow this kind of access to firefox plugins. This should probably be dontaudited. Running the ps command was a privileged process can cause sys_ptrace to happen. Their is special data under /proc that a privileged process would access by running the ps command, This data is almost ever actually read, the data is used by debugging tools to see where some of the randomized memory of a process is setup. Easiest thing to do is to dontaudit the access. Agree.
commit 727b69accb9d2ba053535fb215a443bc3583ba01
Author: Lukas Vrabec <lvrabec>
Date: Mon Jun 29 13:21:35 2015 +0200
Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)
Ok thanks for the details. selinux-policy-3.13.1-105.19.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.19.fc21 Package selinux-policy-3.13.1-105.19.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.19.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-10958/selinux-policy-3.13.1-105.19.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing ps from using the 'sys_ptrace' capabilities. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that ps should have the sys_ptrace capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ps /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Objects Unknown [ capability ] Source ps Source Path ps Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.6.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.18.9-200.fc21.x86_64 #1 SMP Mon Mar 9 15:10:50 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-03-14 17:51:21 MSK Last Seen 2015-03-14 20:33:52 MSK Local ID 3b45ff36-3e3d-42a5-bf70-1b6085f607a4 Raw Audit Messages type=AVC msg=audit(1426354432.990:29008): avc: denied { sys_ptrace } for pid=14391 comm="ps" capability=19 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=capability permissive=0 Hash: ps,mozilla_plugin_t,mozilla_plugin_t,capability,sys_ptrace Version-Release number of selected component: selinux-policy-3.13.1-105.6.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.9-200.fc21.x86_64 type: libreport Potential duplicate: bug 662295