Bug 1118033 - SELinux deny_ptrace boolean suddenly does not restrict ptrace
Summary: SELinux deny_ptrace boolean suddenly does not restrict ptrace
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 20
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-09 21:26 UTC by Bob Browser
Modified: 2014-07-21 07:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-21 07:24:31 UTC


Attachments (Terms of Use)

Description Bob Browser 2014-07-09 21:26:21 UTC
Description of problem:
SELinux ignores deny_ptrace boolean and do not restrict ptrace in enabled mode deny_ptrace --> on

Version-Release number of selected component (if applicable):

$ uname -a
Linux home 3.15.4-200.fc20.x86_64 #1 SMP Mon Jul 7 14:24:41 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ rpm -qa selinux-policy*
selinux-policy-devel-3.12.1-176.fc20.noarch
selinux-policy-targeted-3.12.1-176.fc20.noarch
selinux-policy-3.12.1-176.fc20.noarch

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29

$ getsebool deny_ptrace
deny_ptrace --> on

How reproducible:
$ gdb -q /usr/bin/true -ex
Reading symbols from /usr/bin/true...Reading symbols from /usr/bin/true...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Starting program: /usr/bin/true 
[Inferior 1 (process 30513) exited normally]
Missing separate debuginfos, use: debuginfo-install coreutils-8.21-21.fc20.x86_64
(gdb) q

$ strace /usr/bin/true
execve("/usr/bin/true", ["/usr/bin/true"], [/* 48 vars */]) = 0
brk(0)                                  = 0xbbb000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f20f40f5000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=138685, ...}) = 0
mmap(NULL, 138685, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f20f40d3000
close(3)                                = 0
...
...
...
exit_group(0)                           = ?
+++ exited with 0 +++

Steps to Reproduce:
1. Enable boolean # setsebool deny_ptrace 1 or # setsebool -P deny_ptrace 1
2. Test with gdb, strace, any ptrace() capable tool.
3. http://www.openwall.com/lists/oss-security/2014/07/08/16

Actual results:
Ignores boolean and executes fine.

Expected results:
Deny by SELinux.

Comment 1 Daniel Walsh 2014-07-14 13:31:29 UTC
I am not seeing this in Rawhide.

 strace id
strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn't work: Permission denied
strace: test_ptrace_setoptions_for_all: unexpected exit status 1
[Exit 1]


 gdb /bin/id
GNU gdb (GDB) Fedora 7.7.90.20140711-11.fc22
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /bin/id...Reading symbols from /bin/id...(no debugging symbols found)...done.
(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install coreutils-8.22-17.fc22.x86_64
(gdb) b main
Breakpoint 1 at 0x401ab0
(gdb) r
Starting program: /usr/bin/id 
Cannot create process: Permission denied
the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0During startup program exited with code 127.
(gdb)

Comment 2 Daniel Walsh 2014-07-14 13:32:20 UTC
Could you run 

sesearch -A -s unconfined_t -p ptrace -C
Found 5 semantic av rules:
DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ]
DF allow unconfined_t unconfined_cronjob_t : process ptrace ; [ deny_ptrace ]
DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ]
DF allow unconfined_t crontab_t : process ptrace ; [ deny_ptrace ]
DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]

Comment 3 Bob Browser 2014-07-14 13:44:29 UTC
Here is my output

# sesearch -A -s unconfined_t -p ptrace -C
Found 4 semantic av rules:
   allow unconfined_t unconfined_t : process { fork transition sigchld ptrace getsched getcap dyntransition } ; 
DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ]
DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ]
DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]

Comment 4 Bob Browser 2014-07-14 15:05:45 UTC
I downgraded policy back to

selinux-policy-3.12.1-106.fc20.noarch         
selinux-policy-devel-3.12.1-106.fc20.noarch   
selinux-policy-targeted-3.12.1-106.fc20.noarch

Output
# sesearch -A -s unconfined_t -p ptrace -C 
Found 3 semantic av rules:
DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ]
DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ]
DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]

And now deny_ptrace works again

strace /usr/bin/true
strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn't work: Permission denied
strace: test_ptrace_setoptions_for_all: unexpected exit status 1

Comment 5 Miroslav Grepl 2014-07-16 09:53:56 UTC
Lukas,
could you please loot at this issue on your F20 machine. Thx.

Comment 6 Lukas Vrabec 2014-07-16 11:08:27 UTC
# uname -a 
Linux Fedora20-virt 3.15.4-200.fc20.x86_64 #1 SMP Mon Jul 7 14:24:41 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29

# getsebool -a | grep ptrace
deny_ptrace --> on

Starting program: /usr/bin/true 
Cannot create process: Permission denied
the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0During startup program exited with code 127.

Everything looks OK on my F20 system. 

Bob could you update selinux-policy package on your system again?
Let us know if it's working now.

Thank you!

Comment 7 Bob Browser 2014-07-16 11:46:31 UTC
I updated again to 3.12.1-176 then to 3.12.1-177 from Koji, and this problem remains, ptrace executes.

When I downgraded back to 3.12.1-106 I got some unrealeted warnings

  Installing : selinux-policy-3.12.1-106.fc20.noarch                                                    1/6 
  Installing : selinux-policy-devel-3.12.1-106.fc20.noarch                                              2/6 
  Installing : selinux-policy-targeted-3.12.1-106.fc20.noarch                                           3/6 
libsepol.print_missing_requirements: bacula's global requirements were not met: type/attribute bacula_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
/usr/sbin/semodule:  Failed!
186k
  Cleanup    : selinux-policy-targeted-3.12.1-176.fc20.noarch                                           4/6 
  Cleanup    : selinux-policy-devel-3.12.1-176.fc20.noarch                                              5/6 
  Cleanup    : selinux-policy-3.12.1-176.fc20.noarch                                                    6/6 
  Verifying  : selinux-policy-devel-3.12.1-106.fc20.noarch                                              1/6 
  Verifying  : selinux-policy-targeted-3.12.1-106.fc20.noarch                                           2/6 
  Verifying  : selinux-policy-3.12.1-106.fc20.noarch                                                    3/6 
  Verifying  : selinux-policy-targeted-3.12.1-176.fc20.noarch                                           4/6 
  Verifying  : selinux-policy-devel-3.12.1-176.fc20.noarch                                              5/6 
  Verifying  : selinux-policy-3.12.1-176.fc20.noarch                                                    6/6


# sesearch -A -s unconfined_t -p ptrace -C
on
selinux-policy-3.12.1-177.fc20.noarch
selinux-policy-devel-3.12.1-177.fc20.noarch
selinux-policy-targeted-3.12.1-177.fc20.noarch


Found 4 semantic av rules:
   allow unconfined_t unconfined_t : process { fork transition sigchld ptrace getsched getcap dyntransition } ; 
DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ]
DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ]
DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]

Comment 8 Bob Browser 2014-07-21 07:24:31 UTC
I solved issue by erasing policy packages manually instead of downgrading. After clean selinux-policy* install, ptrace is being blocked again.

Also suspicious "   allow unconfined_t unconfined_t : process { fork transition sigchld ptrace getsched getcap dyntransition } ;" rule is gone.

# sesearch -A -s unconfined_t -p ptrace -C

Found 3 semantic av rules:
DF allow unconfined_domain_type domain : process ptrace ; [ deny_ptrace ]
DF allow unconfined_t unconfined_dbusd_t : process ptrace ; [ deny_ptrace ]
DF allow unconfined_usertype unconfined_usertype : process ptrace ; [ deny_ptrace ]

Thanks everyone.


Note You need to log in before you can comment on or make changes to this bug.