Bug 806475

Summary: under a custom defined domain, ps returns lots of denied messages
Product: Red Hat Enterprise Linux 5 Reporter: David Hill <dhill>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: unspecified    
Version: 5.8CC: dhill, dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-26 10:41:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Hill 2012-03-23 21:39:00 UTC 
Description of problem:
Under a custom defined domain, ps returns lots of denied messages ...

Version-Release number of selected component (if applicable):


How reproducible:
Every time.

Steps to Reproduce:
1. Create a custom selinux policy
2. Grant wanted rights to the policy
3. Create a confined app to the new domain that will do a simple "ps" 
4. Run the application
5. cat /var/log/audit/auditd.log
  
Actual results:
Denied


Expected results:
Not denied, it's PS!!!


Additional info:
I could turn off auditing for these but if a new context appears, I will have to turn off auditing for that new context too!!

Suggestion:
Create a context for ps that any domain could transition to and that would be reserved to "ps".

IE:

initrc_exec_t
\-> tomcat_t
  \-> ps_bin_t
     \-> unconfined_t

Unless we're not trusting "ps", I still feel this is annoyance more than anything.

The problem I face is that /proc/myPID/myfiles are labelled according to the domain in which the processes are and my domain isn't allowed to read those files...
Comment 1 Miroslav Grepl 2012-03-26 10:41:09 UTC 
Yes, this is on RHEL5 where you need to allow read all domain state.