Bug 183387 - SELinux breaks ps
SELinux breaks ps
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-02-28 14:47 EST by Ron Yorston
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.2.23-15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-04 10:37:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ron Yorston 2006-02-28 14:47:03 EST
Description of problem:

On an FC5T3 system running 'ps ax' as an ordinary user gives different results
than the same command run as root.  With enforcing=0 the command gives the same
results for both users.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  As root run 'ps ax | wc -l'
2.  As an ordinary user run 'ps ax | wc -l'
Actual results:
1.  104
2.   94

Expected results:
1.  104
2.  104

Additional info:
Running 'strace ps ax | grep Permission' as an ordinary user gives:

open("/proc/425/stat", O_RDONLY)        = -1 EACCES (Permission denied)
open("/proc/1897/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1925/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1970/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2016/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2262/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2287/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2290/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2543/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2546/stat", O_RDONLY)       = -1 EACCES (Permission denied)

The processes in question are:

  425 /sbin/udevd -d
 1897 cupsd
 1925 /usr/sbin/sshd
 1970 crond
 2016 /usr/sbin/atd
 2262 /usr/sbin/gdm-binary -nodaemon
 2287 /usr/sbin/gdm-binary -nodaemon
 2290 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
 2543 su
 2546 bash
Comment 1 Daniel Walsh 2006-03-04 10:37:55 EST
This is intended behaviour and part of SELinux with MCS policy.

If you want a user to be able to see these processes you could set them up with
the privs to read them

semanage login -m -r s0-SystemHigh Login
Comment 2 Stephen Smalley 2006-03-10 08:10:08 EST
I'm not sure that is an intentional behavior for MCS, which is discretionary and
primarily file-oriented.  Likely just an inadvertent side effect of the
constraints on file access, since the attempt to access /proc/pid entries will
look like an attempt to access a file with the categories of that process.
Possibly that constraint should have an exception for t2 == domain, i.e. file
has a domain label thereby implying a proc file? 
Comment 3 Daniel Walsh 2006-03-10 08:24:55 EST
Fixed in selinux-policy-2.2.23-15

Note You need to log in before you can comment on or make changes to this bug.