Bug 1615087 - AVC denied sys_ptrace shows up a lot in the logs
Summary: AVC denied sys_ptrace shows up a lot in the logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: psad
Version: 29
Hardware: All
OS: All
low
low
Target Milestone: ---
Assignee: Dominik 'Rathann' Mierzejewski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-12 08:08 UTC by Kees de Jong
Modified: 2019-03-06 15:28 UTC (History)
2 users (show)

Fixed In Version: psad-2.4.6-2.fc29 psad-2.4.6-2.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-06 06:58:02 UTC


Attachments (Terms of Use)

Description Kees de Jong 2018-08-12 08:08:09 UTC
Description of problem: Auto-IDS does work, but when running, PSAD generates a lot of SELinux AVC errors.


Version-Release number of selected component (if applicable): psad-2.4.6-1.fc28.x86_64


Steps to Reproduce regular errors:
1. Start PSAD (systemctl start psad)
2. Check the logs (journalctl -f --grep AVC)
3. Notice the following error:
aug 12 10:05:57 defiant audit[25851]: AVC avc:  denied  { sys_ptrace } for  pid=25851 comm="ps" capability=19  scontext=system_u:system_r:psad_t:s0 tcontext=system_u:system_r:psad_t:s0 tclass=cap_userns permissive=0                                                          


Actual results: PSAD runs, but with a lot of SELinux denied errors.


Expected results: PSAD seems to run with full functionality, but does generate a lot of AVC warnings.

Comment 1 Dominik 'Rathann' Mierzejewski 2018-08-13 17:14:53 UTC
Correct, it probably needs some dontaudit rules. I'll get to it eventually. Patches welcome.

Comment 2 Jan Kurik 2018-08-14 11:12:31 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 3 Kees de Jong 2019-02-21 08:30:08 UTC
Hi Dominik, is this still on your radar? On average my CPU is busy with setroubleshootd between 10% and 25% because of all the AVC errors it needs to process. There are many generated every second. If you don't have the time and/or skills, then please contact someone from a special interest group that could help. For example: https://fedoraproject.org/wiki/Category:SIGs?rd=SIGs#Security

I don't have the time at the moment either. Maybe in the future I could co-maintain this package, but for now it's not possible.

Comment 4 Dominik 'Rathann' Mierzejewski 2019-02-21 13:39:32 UTC
(In reply to Kees de Jong from comment #3)
> Hi Dominik, is this still on your radar?

Hello, Kees. Yes, it is. I'm slowly working through my bug list on bugzilla.
I hope to tackle psad next week.

> On average my CPU is busy with
> setroubleshootd between 10% and 25% because of all the AVC errors it needs
> to process. There are many generated every second.

Sorry to hear that. I can understand this is an issue for you and I'll keep
that in mind.

> If you don't have the
> time and/or skills, then please contact someone from a special interest
> group that could help. For example:
> https://fedoraproject.org/wiki/Category:SIGs?rd=SIGs#Security

Thanks for the link.

> I don't have the time at the moment either. Maybe in the future I could
> co-maintain this package, but for now it's not possible.

I see. Thanks for letting me know.

Comment 5 Fedora Update System 2019-02-25 14:24:11 UTC
psad-2.4.6-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0c24af8e11

Comment 6 Fedora Update System 2019-02-25 14:24:29 UTC
psad-2.4.6-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-c2167f24f4

Comment 7 Fedora Update System 2019-02-26 02:12:05 UTC
psad-2.4.6-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-c2167f24f4

Comment 8 Fedora Update System 2019-02-26 04:11:14 UTC
psad-2.4.6-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0c24af8e11

Comment 9 Fedora Update System 2019-03-06 06:58:02 UTC
psad-2.4.6-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2019-03-06 15:28:05 UTC
psad-2.4.6-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.