Bug 1807542

Summary: allow rules exist which circumvent the deny_ptrace boolean
Product: Red Hat Enterprise Linux 9 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: betaKeywords: Triaged
Target Release: 9.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1421075 Environment:
Last Closed: 2021-10-20 07:27:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2020-02-26 15:18:12 UTC 
+++ This bug was initially created as a clone of Bug #1421075 +++

Description of problem:
All rules which allow the ptrace operation should be controlled via the deny_ptrace boolean.
* https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-39.el8.noarch
selinux-policy-targeted-3.14.3-39.el8.noarch
selinux-policy-mls-3.14.3-39.el8.noarch
selinux-policy-devel-3.14.3-39.el8.noarch

How reproducible:
* always

Steps to Reproduce:
# sesearch --allow -p ptrace | grep -v deny_ptrace | grep allow
allow staff_t wireshark_t:process { getattr ptrace sigchld sigkill signal signull sigstop transition };
allow svirt_t svirt_t:process { fork getcap getsched ptrace setrlimit setsched sigchld sigkill signal signull sigstop };
allow sysadm_t lockdev_t:process { getattr ptrace sigchld sigkill signal signull sigstop transition };
allow sysadm_t wireshark_t:process { getattr ptrace sigchld sigkill signal signull sigstop transition };
#

Actual results:
* the output of above-mentioned command contains 4 allow rules

Expected results:
* the output of above-mentioned command is empty
Comment 4 Zdenek Pytela 2021-08-11 16:25:47 UTC 
The expectation that all ptrace permissions should be controlled by the deny_ptrace boolean is correct, changing the behaviour in the middle of RHEL 8 lifecycle though means a nonnegligible regression risk, especially for virt domains:

allow svirt_t svirt_t:process { fork getcap getsched ptrace setrlimit setsched sigchld sigkill signal signull sigstop };

hence retargetting to RHEL 9.
Comment 8 RHEL Program Management 2021-10-20 07:27:06 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.