Bug 787840 (ptraceexe)

Summary: SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses on the None /var/spool/postfix/active/1C60C6EC7.
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, dominick.grift, drjohnson1, dwalsh, eparis, frankly3d, gansalmon, itamar, johannbg, jonathan, jreiser, kernel-maint, madhu.chinakonda, me, mgrepl, mnowak, rbergero, robatino, tehfoo+bugs, tflink
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:8c02272b4a0a202c05f45fe61c82198fb9bd7da0d407ddcf3642863032751535 AcceptedNTH
Fixed In Version: selinux-policy-3.10.0-88.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 19:04:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 752651    
Attachments:
Description Flags
File: description none

Description Nicolas Mailhot 2012-02-06 22:02:43 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc2.git4.1.fc17.x86_64
reason:         SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses on the None /var/spool/postfix/active/1C60C6EC7.
time:           lun. 06 févr. 2012 22:54:09 CET

description:    Text file, 32488 bytes
Comment 1 Nicolas Mailhot 2012-02-06 22:02:46 UTC 
Created attachment 559763 [details]
File: description
Comment 2 Miroslav Grepl 2012-02-07 09:52:18 UTC 
*** Bug 787843 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2012-02-07 09:52:43 UTC 
*** Bug 787845 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2012-02-07 10:56:27 UTC 
*** Bug 788038 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2012-02-07 11:37:58 UTC 
*** Bug 787844 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2012-02-09 08:20:45 UTC 
*** Bug 788174 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2012-02-09 08:25:15 UTC 
*** Bug 788175 has been marked as a duplicate of this bug. ***
Comment 8 Tobias Florek 2012-02-12 14:20:23 UTC 
shouldn't the summary reflect, that this bugs collects all/most/some 'sys_ptrace-is-now-forbidden' bugs?
Comment 9 Daniel Walsh 2012-02-13 22:18:54 UTC 
Well this is really not related to that issue. These are being caused because the kernel is requiring sys_ptrace access for any process that tries to read the link file /proc/PID/exe, where the PID is not the same as the process trying to read it.

This link points to the path of the executable used to start the process.  I believe that the kernel should be requiring DAC_READ_SEARCH and not SYS_PTRACE for this access.
Comment 10 Adam Williamson 2012-02-14 18:38:45 UTC 
Proposing this as NTH for Alpha: it'll cause massive AVC spam and -88 fixes it but missed the freeze. Basically any time something writes to syslog you'll get an AVC, according to dwalsh. So if we don't fix this we might wind up with a lot of annoying dupes filed from Alpha.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 11 Tim Flink 2012-02-14 18:48:40 UTC 
+1 NTH
Comment 12 Robyn Bergeron 2012-02-14 19:05:42 UTC 
+1 NTH
Comment 13 d. johnson 2012-02-14 19:11:36 UTC 
+1 NTH

This does not backout https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace
Comment 14 Adam Williamson 2012-02-14 19:35:13 UTC 
three +1s, plus me: accepting as NTH.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 15 Daniel Walsh 2012-02-14 19:40:26 UTC 
*** Bug 790330 has been marked as a duplicate of this bug. ***
Comment 16 Daniel Walsh 2012-02-14 20:30:52 UTC 
+1 NTH

This does not backout https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

No I will blog on this soon.

My current understanding of sys_ptrace is ...

If any process tries to look at information about a process with a different UID inside of the /proc file system, it will require sys_ptrace access.  (Although not all fields are protected by it.)  If you tried to actually look at the memory information about a different process, this requires ptrace.

So any process that will be running as root and expect the ps/killall/pidof type commands to work will need the sys_ptrace capability.

From an SELinux point of view this is 

allow X_t self:capability sys_ptrace;

If a process wants to also examine/modify the memory of any other process other then its own process (/proc/self)  this will require the process ptrace access.

allow X_t Y_t:process ptrace;
or 
allow X_t self:process ptrace;

This means we can block all ptrace, but blocking sys_ptrace is impractical.

What is strange, is up until the latest kernels, I did not see this issue.
Comment 17 Jóhann B. Guðmundsson 2012-02-15 21:11:18 UTC 
+1 NTH
Comment 18 Adam Williamson 2012-02-16 02:05:15 UTC 
Fix looks good in RC2, I see no sys_ptrace denials on boot. When I did a network install (so got the older selinux-policy), I saw a ton. So setting VERIFIED, we still need to push -88 to stable.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 19 Adam Williamson 2012-02-21 19:04:10 UTC 
-89 went stable, so we can close this now.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers