Bug 344431

Summary: SELinux denies /usr/bin/Xorg (xdm_xserver_t) "getattr" to /proc/5452/cmdline (unconfined_t)
Product: [Fedora] Fedora Reporter: Julian Sikorski <belegdol>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.0.8-56.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-21 22:54:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julian Sikorski 2007-10-21 12:53:34 UTC 
Description of problem:
As promised, I am opening a separate bug report for that:

avc: denied { getattr } for comm=X dev=proc egid=0 euid=0 exe=/usr/bin/Xorg
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=5452 path=/proc/5452/cmdline pid=4039
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:system_r:unconfined_t:s0 tty=tty7 uid=0

The number after proc changes, and also /usr/bin/Xorg (xdm_xserver_t) is
replaced with X (xdm_xserver_t). I am happy to provide more info if necessary.
Note that I am running nvidia binary driver, but I don't know it it is related.

Version-Release number of selected component (if applicable):
3.0.8-28.fc8
Comment 1 Adam Jackson 2007-10-22 13:36:56 UTC 
It would be nice to know what pid 5452 is; if you can reproduce this, what
process is it trying to read the command line for?

But I'm pretty sure this is something in the nvidia driver, nothing in plain X
looks at /proc/*/cmdline that I know of.
Comment 2 Daniel Walsh 2007-10-22 13:44:53 UTC 
Allowed in 3.0.8-29.fc8
Comment 3 Daniel Walsh 2007-10-22 13:45:29 UTC 
*** Bug 344421 has been marked as a duplicate of this bug. ***
Comment 4 Julian Sikorski 2007-10-22 13:51:20 UTC 
Huh? Are these two really the same? I mean, the audit messages are different:
getattr to cmdline, and search to unknown.
Comment 5 Daniel Walsh 2007-10-22 15:17:35 UTC 
well yes, the firstone is trying to read the directory and the second one the
file.  So from my perspective we need to figure out wheter we want X to be able
to read /proc/USER/*
Comment 6 Julian Sikorski 2007-10-22 15:22:48 UTC 
Thanks for clarification.
Comment 7 Julian Sikorski 2007-10-24 17:13:25 UTC 
Hmm, still present in 3.0.8-30.fc8. Maybe I need a relabel? Anyway, I'm going to
try to figure out what the pid means, but this is kind of hard. This is because
as short as 2 minutes after the SELinux denial pidof returns nothing. If the
program is causing the denial on exit, we may never know.
Comment 8 Daniel Walsh 2007-10-24 18:06:43 UTC 
That is because I lied.  Try 3.0.8-32.fc8
Comment 9 Julian Sikorski 2007-10-26 15:50:36 UTC 
Hmm, denial still present. I'll run a relabel, just in case.
Comment 10 Julian Sikorski 2007-10-27 08:59:21 UTC 
Relabel did not help.
Comment 11 Daniel Walsh 2007-11-19 15:57:19 UTC 
Fixed in selinux-policy-3.0.8-56.fc8