Bug 1615087

Summary: AVC denied sys_ptrace shows up a lot in the logs
Product: [Fedora] Fedora Reporter: Kees de Jong <keesdejong+dev>
Component: psadAssignee: Dominik 'Rathann' Mierzejewski <dominik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 29CC: admiller, dominik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: psad-2.4.6-2.fc29 psad-2.4.6-2.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-06 06:58:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kees de Jong 2018-08-12 08:08:09 UTC 
Description of problem: Auto-IDS does work, but when running, PSAD generates a lot of SELinux AVC errors.


Version-Release number of selected component (if applicable): psad-2.4.6-1.fc28.x86_64


Steps to Reproduce regular errors:
1. Start PSAD (systemctl start psad)
2. Check the logs (journalctl -f --grep AVC)
3. Notice the following error:
aug 12 10:05:57 defiant audit[25851]: AVC avc:  denied  { sys_ptrace } for  pid=25851 comm="ps" capability=19  scontext=system_u:system_r:psad_t:s0 tcontext=system_u:system_r:psad_t:s0 tclass=cap_userns permissive=0                                                          


Actual results: PSAD runs, but with a lot of SELinux denied errors.


Expected results: PSAD seems to run with full functionality, but does generate a lot of AVC warnings.
Comment 1 Dominik 'Rathann' Mierzejewski 2018-08-13 17:14:53 UTC 
Correct, it probably needs some dontaudit rules. I'll get to it eventually. Patches welcome.
Comment 2 Jan Kurik 2018-08-14 11:12:31 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 3 Kees de Jong 2019-02-21 08:30:08 UTC 
Hi Dominik, is this still on your radar? On average my CPU is busy with setroubleshootd between 10% and 25% because of all the AVC errors it needs to process. There are many generated every second. If you don't have the time and/or skills, then please contact someone from a special interest group that could help. For example: https://fedoraproject.org/wiki/Category:SIGs?rd=SIGs#Security

I don't have the time at the moment either. Maybe in the future I could co-maintain this package, but for now it's not possible.
Comment 4 Dominik 'Rathann' Mierzejewski 2019-02-21 13:39:32 UTC 
(In reply to Kees de Jong from comment #3)
> Hi Dominik, is this still on your radar?

Hello, Kees. Yes, it is. I'm slowly working through my bug list on bugzilla.
I hope to tackle psad next week.

> On average my CPU is busy with
> setroubleshootd between 10% and 25% because of all the AVC errors it needs
> to process. There are many generated every second.

Sorry to hear that. I can understand this is an issue for you and I'll keep
that in mind.

> If you don't have the
> time and/or skills, then please contact someone from a special interest
> group that could help. For example:
> https://fedoraproject.org/wiki/Category:SIGs?rd=SIGs#Security

Thanks for the link.

> I don't have the time at the moment either. Maybe in the future I could
> co-maintain this package, but for now it's not possible.

I see. Thanks for letting me know.
Comment 5 Fedora Update System 2019-02-25 14:24:11 UTC 
psad-2.4.6-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0c24af8e11
Comment 6 Fedora Update System 2019-02-25 14:24:29 UTC 
psad-2.4.6-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c2167f24f4
Comment 7 Fedora Update System 2019-02-26 02:12:05 UTC 
psad-2.4.6-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c2167f24f4
Comment 8 Fedora Update System 2019-02-26 04:11:14 UTC 
psad-2.4.6-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0c24af8e11
Comment 9 Fedora Update System 2019-03-06 06:58:02 UTC 
psad-2.4.6-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2019-03-06 15:28:05 UTC 
psad-2.4.6-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.