| Summary: | under a custom defined domain, ps returns lots of denied messages | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | David Hill <dhill> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.8 | CC: | dhill, dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-26 10:41:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Yes, this is on RHEL5 where you need to allow read all domain state. |
Description of problem: Under a custom defined domain, ps returns lots of denied messages ... Version-Release number of selected component (if applicable): How reproducible: Every time. Steps to Reproduce: 1. Create a custom selinux policy 2. Grant wanted rights to the policy 3. Create a confined app to the new domain that will do a simple "ps" 4. Run the application 5. cat /var/log/audit/auditd.log Actual results: Denied Expected results: Not denied, it's PS!!! Additional info: I could turn off auditing for these but if a new context appears, I will have to turn off auditing for that new context too!! Suggestion: Create a context for ps that any domain could transition to and that would be reserved to "ps". IE: initrc_exec_t \-> tomcat_t \-> ps_bin_t \-> unconfined_t Unless we're not trusting "ps", I still feel this is annoyance more than anything. The problem I face is that /proc/myPID/myfiles are labelled according to the domain in which the processes are and my domain isn't allowed to read those files...