Bug 200083
Summary: | readlink of executables causing ptrace SELinux access check to fire | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
Component: | kernel | Assignee: | Eric Paris <eparis> |
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
Severity: | low | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | eparis, sdsmall, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-07-26 18:11:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daniel Walsh
2006-07-25 13:07:34 UTC
proc uses ptrace checking as a way of controlling access to process private state. There were some changes upstream in recent kernels in this area, e.g. see: http://marc.theaimsgroup.com/?l=git-commits-head&m=115134545732646&w=2 SELinux is just applying ptrace checks consistently with the core kernel here. So should these be dontaudited? Allowed? You'd have to allow it if you wanted the caller to be able to find the process id of a given program via pidof. Naturally, you'd only do that for privileged domains. Ok, so I guess this is not a bug. Updated policy. |