183387 – SELinux breaks ps

Bug 183387 - SELinux breaks ps

Summary: SELinux breaks ps

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-02-28 19:47 UTC by Ron Yorston
Modified:	2007-11-30 22:11 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-2.2.23-15
Clone Of:
Environment:
Last Closed:	2006-03-04 15:37:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ron Yorston 2006-02-28 19:47:03 UTC

Description of problem:

On an FC5T3 system running 'ps ax' as an ordinary user gives different results
than the same command run as root.  With enforcing=0 the command gives the same
results for both users.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  As root run 'ps ax | wc -l'
2.  As an ordinary user run 'ps ax | wc -l'
3.
  
Actual results:
1.  104
2.   94

Expected results:
1.  104
2.  104


Additional info:
Running 'strace ps ax | grep Permission' as an ordinary user gives:

open("/proc/425/stat", O_RDONLY)        = -1 EACCES (Permission denied)
open("/proc/1897/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1925/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1970/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2016/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2262/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2287/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2290/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2543/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2546/stat", O_RDONLY)       = -1 EACCES (Permission denied)

The processes in question are:

  425 /sbin/udevd -d
 1897 cupsd
 1925 /usr/sbin/sshd
 1970 crond
 2016 /usr/sbin/atd
 2262 /usr/sbin/gdm-binary -nodaemon
 2287 /usr/sbin/gdm-binary -nodaemon
 2290 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
 2543 su
 2546 bash

Comment 1 Daniel Walsh 2006-03-04 15:37:55 UTC

This is intended behaviour and part of SELinux with MCS policy.

If you want a user to be able to see these processes you could set them up with
the privs to read them


semanage login -m -r s0-SystemHigh Login

Comment 2 Stephen Smalley 2006-03-10 13:10:08 UTC

I'm not sure that is an intentional behavior for MCS, which is discretionary and
primarily file-oriented.  Likely just an inadvertent side effect of the
constraints on file access, since the attempt to access /proc/pid entries will
look like an attempt to access a file with the categories of that process.
Possibly that constraint should have an exception for t2 == domain, i.e. file
has a domain label thereby implying a proc file?

Comment 3 Daniel Walsh 2006-03-10 13:24:55 UTC

Fixed in selinux-policy-2.2.23-15

Note You need to log in before you can comment on or make changes to this bug.