Bug 1202043 - SELinux is preventing ps from using the 'sys_ptrace' capabilities.
Summary: SELinux is preventing ps from using the 'sys_ptrace' capabilities.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:cec45f78995474867885fa5d717...
: 1220962 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2015-03-14 17:42 UTC by roman
Modified: 2017-07-12 22:49 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.13.1-105.19.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-14 15:50:08 UTC
Type: ---

Attachments (Terms of Use)

Description roman 2015-03-14 17:42:42 UTC
Description of problem:
SELinux is preventing ps from using the 'sys_ptrace' capabilities.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that ps should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep ps /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
Target Objects                Unknown [ capability ]
Source                        ps
Source Path                   ps
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.6.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.18.9-200.fc21.x86_64 #1 SMP Mon
                              Mar 9 15:10:50 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-03-14 17:51:21 MSK
Last Seen                     2015-03-14 20:33:52 MSK
Local ID                      3b45ff36-3e3d-42a5-bf70-1b6085f607a4

Raw Audit Messages
type=AVC msg=audit(1426354432.990:29008): avc:  denied  { sys_ptrace } for  pid=14391 comm="ps" capability=19  scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=capability permissive=0

Hash: ps,mozilla_plugin_t,mozilla_plugin_t,capability,sys_ptrace

Version-Release number of selected component:

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.9-200.fc21.x86_64
type:           libreport

Potential duplicate: bug 662295

Comment 1 Lukas Vrabec 2015-03-16 09:59:17 UTC

If you want allow this, follow steps in your report:

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
# setsebool -P unconfined_mozilla_plugin_transition 0

Comment 2 Miroslav Grepl 2015-05-13 11:48:11 UTC
*** Bug 1220962 has been marked as a duplicate of this bug. ***

Comment 3 fred 2015-06-29 00:20:04 UTC
I have the same warning. How to know why it occured in the first place? Could a security issue have been averted?

Comment 4 Lukas Vrabec 2015-06-29 08:28:34 UTC

It was caused by some firefox plugin. In first place, you need to identify the right plugin and then try to analyze its behavior. In general, we don't allow this kind of access to firefox plugins.

Comment 5 Daniel Walsh 2015-06-29 10:41:38 UTC
This should probably be dontaudited. Running the ps command was a privileged process can cause sys_ptrace to happen.  Their is special data under /proc that a privileged process would access by running the ps command,  This data is almost ever actually read, the data is used by debugging tools to see where some of the randomized memory of a process is setup.  Easiest thing to do is to dontaudit the access.

Comment 6 Lukas Vrabec 2015-06-29 11:23:10 UTC

commit 727b69accb9d2ba053535fb215a443bc3583ba01
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Jun 29 13:21:35 2015 +0200

    Dontaudit mozilla_plugin_t cap. sys_ptrace. BZ(1202043)

Comment 7 fred 2015-06-30 00:24:58 UTC
Ok thanks for the details.

Comment 8 Fedora Update System 2015-06-30 07:31:13 UTC
selinux-policy-3.13.1-105.19.fc21 has been submitted as an update for Fedora 21.

Comment 9 Fedora Update System 2015-06-30 20:14:10 UTC
Package selinux-policy-3.13.1-105.19.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.19.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2015-07-14 15:50:08 UTC
selinux-policy-3.13.1-105.19.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.