Bug 810973

Summary: We need to patch ltrace for potential SELinux breakage.
Product: [Fedora] Fedora Reporter: Niels de Vos <ndevos>
Component: ltraceAssignee: Petr Machata <pmachata>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, mjw, mnewsome, pmachata
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 786876 Environment:
Last Closed: 2012-05-26 07:16:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 802072    
Bug Blocks:    

Description Niels de Vos 2012-04-09 18:56:10 UTC 
+++ This bug was initially created as a clone of Bug #786876 +++

New feature coming in Fedora 17  will allow users to disable ptrace and sys_ptrace access on an SELinux system.

http://danwalsh.livejournal.com/49336.html

Talks about this and demonstrates it.

$ ltrace id
PTRACE_TRACEME: Permission denied
PTRACE_SETOPTIONS: No such process

It has been suggested that we should probably print something about SELinux potentially blocking this access.

gdb does the following (see Bug 786878):

$ gdb -ex r -ex q --quiet /usr/bin/id
Reading symbols from /usr/bin/id...Reading symbols from /usr/lib/debug/usr/bin/id.debug...done.
done.
Starting program: /usr/bin/id 
Cannot create process: Permission denied
warning: the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0
During startup program exited with code 127.


Note that Bug 802072 contains a discussion if PTRACE_TRACEME should be allowed by default, or if only PTRACE_ATTACH should rely on the SElinux boolean deny_ptrace. A final implementation in ltrace should probably wait on the results of that discussion.
Comment 1 Petr Machata 2012-04-10 21:09:14 UTC 
Thanks, the code linked in bug 786878 is exactly what I need.  That discussion at that other bug seems less than lively, so I'll just roll out what I have now.  The worst that can happen is that there is one extra call on an error path that never hits anyway.  I added a patch to upstream and will port it to F17 shortly.
Comment 2 Fedora Update System 2012-04-10 21:26:01 UTC 
ltrace-0.6.0-6.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ltrace-0.6.0-6.fc17
Comment 3 Niels de Vos 2012-04-11 10:27:56 UTC 
Thanks for the swift update!

These are the results from my testing. There is no mentioning of SElinux in the error message, is this the expected behaviour?

[root@f17-20120406 tmp]# rpm -q ltrace
ltrace-0.6.0-6.fc17.x86_64
[root@f17-20120406 tmp]# ltrace -p $(pidof systemd)
Cannot attach to pid 1: Permission denied
[root@f17-20120406 tmp]# ltrace /usr/bin/id
PTRACE_TRACEME: Permission denied
I consistently fail to read a word from the freshly launched process.
I'll now try to proceed with tracing, but this shouldn't be happening.
PTRACE_SETOPTIONS: No such process
+++ exited (status 1) +++
Comment 4 Petr Machata 2012-04-11 10:47:22 UTC 
D'oh, of course not, I forgot to add libselinux-devel to BR.
Comment 5 Petr Machata 2012-04-11 11:03:15 UTC 
... _and_ forgot to patch configure itself (only configure.ac).  That's them swift updates.
Comment 6 Petr Machata 2012-04-11 11:53:02 UTC 
I edited the bodhi update request with a new build, ltrace-0.6.0-7.fc17
Comment 7 Niels de Vos 2012-04-11 13:36:17 UTC 
Old behaviour:
[root@f17-20120406 tmp]# rpm -q ltrace
ltrace-0.6.0-4.fc17.x86_64
[root@f17-20120406 tmp]# ltrace /usr/bin/id
PTRACE_TRACEME: Permission denied
PTRACE_SETOPTIONS: No such process
[root@f17-20120406 tmp]# ltrace -p $(pidof systemd)
Cannot attach to pid 1: Permission denied

New behaviour:
[root@f17-20120406 tmp]# rpm -Uvh ltrace-0.6.0-7.fc17.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:ltrace                 ########################################### [100%]
[root@f17-20120406 tmp]# ltrace /usr/bin/id
PTRACE_TRACEME: Permission denied
The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from
tracing other processes.  You can disable this process attach protection by
issuing 'setsebool deny_ptrace=0' in the superuser context.
I consistently fail to read a word from the freshly launched process.
I'll now try to proceed with tracing, but this shouldn't be happening.
PTRACE_SETOPTIONS: No such process
+++ exited (status 1) +++
[root@f17-20120406 tmp]# ltrace -p $(pidof systemd)
Cannot attach to pid 1: Permission denied
The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from
tracing other processes.  You can disable this process attach protection by
issuing 'setsebool deny_ptrace=0' in the superuser context.


Thanks again!
Comment 8 Fedora Update System 2012-05-03 19:16:22 UTC 
ltrace-0.6.0-11.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ltrace-0.6.0-11.fc17
Comment 9 Fedora Update System 2012-05-26 07:16:04 UTC 
ltrace-0.6.0-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.