Bug 183387

Summary: SELinux breaks ps
Product: [Fedora] Fedora Reporter: Ron Yorston <rmy>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: deisenst, jmorris, rcoker, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.2.23-15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-04 15:37:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ron Yorston 2006-02-28 19:47:03 UTC 
Description of problem:

On an FC5T3 system running 'ps ax' as an ordinary user gives different results
than the same command run as root.  With enforcing=0 the command gives the same
results for both users.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  As root run 'ps ax | wc -l'
2.  As an ordinary user run 'ps ax | wc -l'
3.
  
Actual results:
1.  104
2.   94

Expected results:
1.  104
2.  104


Additional info:
Running 'strace ps ax | grep Permission' as an ordinary user gives:

open("/proc/425/stat", O_RDONLY)        = -1 EACCES (Permission denied)
open("/proc/1897/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1925/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1970/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2016/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2262/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2287/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2290/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2543/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2546/stat", O_RDONLY)       = -1 EACCES (Permission denied)

The processes in question are:

  425 /sbin/udevd -d
 1897 cupsd
 1925 /usr/sbin/sshd
 1970 crond
 2016 /usr/sbin/atd
 2262 /usr/sbin/gdm-binary -nodaemon
 2287 /usr/sbin/gdm-binary -nodaemon
 2290 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
 2543 su
 2546 bash
Comment 1 Daniel Walsh 2006-03-04 15:37:55 UTC 
This is intended behaviour and part of SELinux with MCS policy.

If you want a user to be able to see these processes you could set them up with
the privs to read them


semanage login -m -r s0-SystemHigh Login
Comment 2 Stephen Smalley 2006-03-10 13:10:08 UTC 
I'm not sure that is an intentional behavior for MCS, which is discretionary and
primarily file-oriented.  Likely just an inadvertent side effect of the
constraints on file access, since the attempt to access /proc/pid entries will
look like an attempt to access a file with the categories of that process.
Possibly that constraint should have an exception for t2 == domain, i.e. file
has a domain label thereby implying a proc file?
Comment 3 Daniel Walsh 2006-03-10 13:24:55 UTC 
Fixed in selinux-policy-2.2.23-15