Bug 810973
Summary: | We need to patch ltrace for potential SELinux breakage. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Niels de Vos <ndevos> |
Component: | ltrace | Assignee: | Petr Machata <pmachata> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | dwalsh, mjw, mnewsome, pmachata |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | 786876 | Environment: | |
Last Closed: | 2012-05-26 07:16:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 802072 | ||
Bug Blocks: |
Description
Niels de Vos
2012-04-09 18:56:10 UTC
Thanks, the code linked in bug 786878 is exactly what I need. That discussion at that other bug seems less than lively, so I'll just roll out what I have now. The worst that can happen is that there is one extra call on an error path that never hits anyway. I added a patch to upstream and will port it to F17 shortly. ltrace-0.6.0-6.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ltrace-0.6.0-6.fc17 Thanks for the swift update! These are the results from my testing. There is no mentioning of SElinux in the error message, is this the expected behaviour? [root@f17-20120406 tmp]# rpm -q ltrace ltrace-0.6.0-6.fc17.x86_64 [root@f17-20120406 tmp]# ltrace -p $(pidof systemd) Cannot attach to pid 1: Permission denied [root@f17-20120406 tmp]# ltrace /usr/bin/id PTRACE_TRACEME: Permission denied I consistently fail to read a word from the freshly launched process. I'll now try to proceed with tracing, but this shouldn't be happening. PTRACE_SETOPTIONS: No such process +++ exited (status 1) +++ D'oh, of course not, I forgot to add libselinux-devel to BR. ... _and_ forgot to patch configure itself (only configure.ac). That's them swift updates. I edited the bodhi update request with a new build, ltrace-0.6.0-7.fc17 Old behaviour: [root@f17-20120406 tmp]# rpm -q ltrace ltrace-0.6.0-4.fc17.x86_64 [root@f17-20120406 tmp]# ltrace /usr/bin/id PTRACE_TRACEME: Permission denied PTRACE_SETOPTIONS: No such process [root@f17-20120406 tmp]# ltrace -p $(pidof systemd) Cannot attach to pid 1: Permission denied New behaviour: [root@f17-20120406 tmp]# rpm -Uvh ltrace-0.6.0-7.fc17.x86_64.rpm Preparing... ########################################### [100%] 1:ltrace ########################################### [100%] [root@f17-20120406 tmp]# ltrace /usr/bin/id PTRACE_TRACEME: Permission denied The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from tracing other processes. You can disable this process attach protection by issuing 'setsebool deny_ptrace=0' in the superuser context. I consistently fail to read a word from the freshly launched process. I'll now try to proceed with tracing, but this shouldn't be happening. PTRACE_SETOPTIONS: No such process +++ exited (status 1) +++ [root@f17-20120406 tmp]# ltrace -p $(pidof systemd) Cannot attach to pid 1: Permission denied The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from tracing other processes. You can disable this process attach protection by issuing 'setsebool deny_ptrace=0' in the superuser context. Thanks again! ltrace-0.6.0-11.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ltrace-0.6.0-11.fc17 ltrace-0.6.0-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |