Description of problem: SELinux ignores deny_ptrace boolean and do not restrict ptrace in enabled mode deny_ptrace --> on Version-Release number of selected component (if applicable): $ uname -a Linux home 3.15.4-200.fc20.x86_64 #1 SMP Mon Jul 7 14:24:41 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa selinux-policy* selinux-policy-devel-3.12.1-176.fc20.noarch selinux-policy-targeted-3.12.1-176.fc20.noarch selinux-policy-3.12.1-176.fc20.noarch $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29 $ getsebool deny_ptrace deny_ptrace --> on How reproducible: $ gdb -q /usr/bin/true -ex Reading symbols from /usr/bin/true...Reading symbols from /usr/bin/true...(no debugging symbols found)...done. (no debugging symbols found)...done. Starting program: /usr/bin/true [Inferior 1 (process 30513) exited normally] Missing separate debuginfos, use: debuginfo-install coreutils-8.21-21.fc20.x86_64 (gdb) q $ strace /usr/bin/true execve("/usr/bin/true", ["/usr/bin/true"], [/* 48 vars */]) = 0 brk(0) = 0xbbb000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f20f40f5000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=138685, ...}) = 0 mmap(NULL, 138685, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f20f40d3000 close(3) = 0 ... ... ... exit_group(0) = ? +++ exited with 0 +++ Steps to Reproduce: 1. Enable boolean # setsebool deny_ptrace 1 or # setsebool -P deny_ptrace 1 2. Test with gdb, strace, any ptrace() capable tool. 3. http://www.openwall.com/lists/oss-security/2014/07/08/16 Actual results: Ignores boolean and executes fine. Expected results: Deny by SELinux.
I am not seeing this in Rawhide. strace id strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn't work: Permission denied strace: test_ptrace_setoptions_for_all: unexpected exit status 1 [Exit 1] gdb /bin/id GNU gdb (GDB) Fedora 7.7.90.20140711-11.fc22 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /bin/id...Reading symbols from /bin/id...(no debugging symbols found)...done. (no debugging symbols found)...done. Missing separate debuginfos, use: debuginfo-install coreutils-8.22-17.fc22.x86_64 (gdb) b main Breakpoint 1 at 0x401ab0 (gdb) r Starting program: /usr/bin/id Cannot create process: Permission denied the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0During startup program exited with code 127. (gdb)
Could you run sesearch -A -s unconfined_t -p ptrace -C Found 5 semantic av rules: DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ] DF allow unconfined_t unconfined_cronjob_t : process ptrace ; [ deny_ptrace ] DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ] DF allow unconfined_t crontab_t : process ptrace ; [ deny_ptrace ] DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]
Here is my output # sesearch -A -s unconfined_t -p ptrace -C Found 4 semantic av rules: allow unconfined_t unconfined_t : process { fork transition sigchld ptrace getsched getcap dyntransition } ; DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ] DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ] DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]
I downgraded policy back to selinux-policy-3.12.1-106.fc20.noarch selinux-policy-devel-3.12.1-106.fc20.noarch selinux-policy-targeted-3.12.1-106.fc20.noarch Output # sesearch -A -s unconfined_t -p ptrace -C Found 3 semantic av rules: DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ] DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ] DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ] And now deny_ptrace works again strace /usr/bin/true strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn't work: Permission denied strace: test_ptrace_setoptions_for_all: unexpected exit status 1
Lukas, could you please loot at this issue on your F20 machine. Thx.
# uname -a Linux Fedora20-virt 3.15.4-200.fc20.x86_64 #1 SMP Mon Jul 7 14:24:41 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29 # getsebool -a | grep ptrace deny_ptrace --> on Starting program: /usr/bin/true Cannot create process: Permission denied the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0During startup program exited with code 127. Everything looks OK on my F20 system. Bob could you update selinux-policy package on your system again? Let us know if it's working now. Thank you!
I updated again to 3.12.1-176 then to 3.12.1-177 from Koji, and this problem remains, ptrace executes. When I downgraded back to 3.12.1-106 I got some unrealeted warnings Installing : selinux-policy-3.12.1-106.fc20.noarch 1/6 Installing : selinux-policy-devel-3.12.1-106.fc20.noarch 2/6 Installing : selinux-policy-targeted-3.12.1-106.fc20.noarch 3/6 libsepol.print_missing_requirements: bacula's global requirements were not met: type/attribute bacula_port_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). /usr/sbin/semodule: Failed! 186k Cleanup : selinux-policy-targeted-3.12.1-176.fc20.noarch 4/6 Cleanup : selinux-policy-devel-3.12.1-176.fc20.noarch 5/6 Cleanup : selinux-policy-3.12.1-176.fc20.noarch 6/6 Verifying : selinux-policy-devel-3.12.1-106.fc20.noarch 1/6 Verifying : selinux-policy-targeted-3.12.1-106.fc20.noarch 2/6 Verifying : selinux-policy-3.12.1-106.fc20.noarch 3/6 Verifying : selinux-policy-targeted-3.12.1-176.fc20.noarch 4/6 Verifying : selinux-policy-devel-3.12.1-176.fc20.noarch 5/6 Verifying : selinux-policy-3.12.1-176.fc20.noarch 6/6 # sesearch -A -s unconfined_t -p ptrace -C on selinux-policy-3.12.1-177.fc20.noarch selinux-policy-devel-3.12.1-177.fc20.noarch selinux-policy-targeted-3.12.1-177.fc20.noarch Found 4 semantic av rules: allow unconfined_t unconfined_t : process { fork transition sigchld ptrace getsched getcap dyntransition } ; DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ] DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ] DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]
I solved issue by erasing policy packages manually instead of downgrading. After clean selinux-policy* install, ptrace is being blocked again. Also suspicious " allow unconfined_t unconfined_t : process { fork transition sigchld ptrace getsched getcap dyntransition } ;" rule is gone. # sesearch -A -s unconfined_t -p ptrace -C Found 3 semantic av rules: DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ] DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ] DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ] Thanks everyone.