Bug 789715

Summary: ptrace change appears to need more exceptions.
Product: [Fedora] Fedora Reporter: Bruno Wolff III <bruno>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bruno, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 20:49:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Bruno Wolff III 2012-02-12 14:30:48 UTC
Description of problem:
Several packages are using the ptrace capability and generate lots of logs. In enforcing mode this was even blocking semodule for loading a module.

For now I am using the following:
#============= consolekit_t ==============
allow consolekit_t self:capability sys_ptrace;

#============= rtkit_daemon_t ==============
allow rtkit_daemon_t self:capability sys_ptrace;

#============= syslogd_t ==============
allow syslogd_t self:capability sys_ptrace;


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-86.fc17.noarch

Additional info:
Note that this is in rawhide. The same package works OK in branched (f17).

getsebool reports:
deny_ptrace --> off

Comment 1 Bruno Wolff III 2012-02-12 15:48:05 UTC
It's possible that the part of the issue getting semodule to load a policy may have been just very slow do to all of the AVCs rather than actual blocking. I waited several minutes and then tried setenforce 0 and it finished shortly afterwards. But that might have been a coincidence or maybe the load was reduced a bit.

Comment 2 Daniel Walsh 2012-02-14 20:49:00 UTC
The sys_ptrace access will be allowed in selinux-policy-3.10.0-88.fc17.noarch