Description of problem: On an FC5T3 system running 'ps ax' as an ordinary user gives different results than the same command run as root. With enforcing=0 the command gives the same results for both users. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. As root run 'ps ax | wc -l' 2. As an ordinary user run 'ps ax | wc -l' 3. Actual results: 1. 104 2. 94 Expected results: 1. 104 2. 104 Additional info: Running 'strace ps ax | grep Permission' as an ordinary user gives: open("/proc/425/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/1897/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/1925/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/1970/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/2016/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/2262/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/2287/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/2290/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/2543/stat", O_RDONLY) = -1 EACCES (Permission denied) open("/proc/2546/stat", O_RDONLY) = -1 EACCES (Permission denied) The processes in question are: 425 /sbin/udevd -d 1897 cupsd 1925 /usr/sbin/sshd 1970 crond 2016 /usr/sbin/atd 2262 /usr/sbin/gdm-binary -nodaemon 2287 /usr/sbin/gdm-binary -nodaemon 2290 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 2543 su 2546 bash
This is intended behaviour and part of SELinux with MCS policy. If you want a user to be able to see these processes you could set them up with the privs to read them semanage login -m -r s0-SystemHigh Login
I'm not sure that is an intentional behavior for MCS, which is discretionary and primarily file-oriented. Likely just an inadvertent side effect of the constraints on file access, since the attempt to access /proc/pid entries will look like an attempt to access a file with the categories of that process. Possibly that constraint should have an exception for t2 == domain, i.e. file has a domain label thereby implying a proc file?
Fixed in selinux-policy-2.2.23-15