Bug 1751816 - SELinux is preventing ps from using the sys_ptrace capability.
Summary: SELinux is preventing ps from using the sys_ptrace capability.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 30
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-12 16:03 UTC by Paul DeStefano
Modified: 2019-11-17 01:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-17 01:13:32 UTC


Attachments (Terms of Use)

Description Paul DeStefano 2019-09-12 16:03:53 UTC
Description of problem:
Since weekly update, ps getting a ton of these messages.  Seems to be related to pmlogger.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-45.fc30.noarch

How reproducible:
every night at midnight

Steps to Reproduce:
1. dnf update


Actual results:

SELinux is preventing ps from using the sys_ptrace capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ps should have the sys_ptrace capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ps' --raw | audit2allow -M my-ps
# semodule -X 300 -i my-ps.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmlogger_t:s0
Target Context                system_u:system_r:pcp_pmlogger_t:s0
Target Objects                Unknown [ capability ]
Source                        ps
Source Path                   ps
Port                          <Unknown>

Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Platform                      Linux wrangler 5.2.11-200.fc30.x86_64 #1 SMP Thu
                              Aug 29 12:43:20 UTC 2019 x86_64 x86_64
Alert Count                   3823
First Seen                    2019-09-09 09:50:55 PDT
Last Seen                     2019-09-12 00:11:46 PDT
Local ID                      156c2e39-972b-4b0e-8891-7e2af621d50e

Raw Audit Messages
type=AVC msg=audit(1568272306.321:41153): avc:  denied  { sys_ptrace } for  pid=1534930 comm="ps" capability=19  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0


Hash: ps,pcp_pmlogger_t,pcp_pmlogger_t,capability,sys_ptrace


Additional info:
During update of selinux-poilcypost-script threw an error, BTW.  I haven't had a SELinux alert in a while, now I'm getting 9 different alerts every night.

Could it be related to this selinux block from the time of the update?

SELinux is preventing restorecon from using the mac_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that restorecon should have the mac_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'restorecon' --raw | audit2allow -M my-restorecon
# semodule -X 300 -i my-restorecon.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Objects                Unknown [ capability2 ]
Source                        restorecon
Source Path                   restorecon
Port                          <Unknown>

Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-43.fc30.noarch selinux-
                              policy-3.14.3-45.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Platform                      Linux wrangler 5.2.9-200.fc30.x86_64 #1 SMP Fri
                              Aug 16 21:37:45 UTC 2019 x86_64 x86_64
Alert Count                   31
First Seen                    2019-09-09 09:38:36 PDT
Last Seen                     2019-09-09 09:38:37 PDT
Local ID                      856a9c7f-3a77-4903-b28f-92f22a2a1a7c

Raw Audit Messages
type=AVC msg=audit(1568047117.175:86649): avc:  denied  { mac_admin } for  pid=3897680 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0


Hash: restorecon,setfiles_t,setfiles_t,capability2,mac_admin

Comment 1 Lukas Vrabec 2019-09-13 14:40:57 UTC
commit c5a8fd2a369b81fa96880776dc723a4038af1c49 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Sep 13 16:38:43 2019 +0200

    Add sys_ptrace capability to pcp_pmlogger_t domain BZ(1751816)

Comment 2 Fedora Update System 2019-10-04 13:36:37 UTC
FEDORA-2019-6bbf3d600d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 3 Fedora Update System 2019-10-04 22:15:06 UTC
selinux-policy-3.14.3-48.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 4 Fedora Update System 2019-10-10 07:49:21 UTC
FEDORA-2019-6bbf3d600d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 5 Fedora Update System 2019-10-10 17:29:24 UTC
selinux-policy-3.14.3-49.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 6 Fedora Update System 2019-10-23 07:00:45 UTC
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8

Comment 7 Fedora Update System 2019-10-25 19:34:17 UTC
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8

Comment 8 Fedora Update System 2019-10-26 17:03:08 UTC
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf

Comment 9 Fedora Update System 2019-10-27 03:55:05 UTC
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf

Comment 10 Fedora Update System 2019-11-03 14:11:08 UTC
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 11 Fedora Update System 2019-11-04 02:10:32 UTC
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 12 Fedora Update System 2019-11-17 01:13:32 UTC
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.