Bug 183387 - SELinux breaks ps
Summary: SELinux breaks ps
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-02-28 19:47 UTC by Ron Yorston
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-2.2.23-15
Clone Of:
Environment:
Last Closed: 2006-03-04 15:37:55 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ron Yorston 2006-02-28 19:47:03 UTC
Description of problem:

On an FC5T3 system running 'ps ax' as an ordinary user gives different results
than the same command run as root.  With enforcing=0 the command gives the same
results for both users.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  As root run 'ps ax | wc -l'
2.  As an ordinary user run 'ps ax | wc -l'
3.
  
Actual results:
1.  104
2.   94

Expected results:
1.  104
2.  104


Additional info:
Running 'strace ps ax | grep Permission' as an ordinary user gives:

open("/proc/425/stat", O_RDONLY)        = -1 EACCES (Permission denied)
open("/proc/1897/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1925/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/1970/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2016/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2262/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2287/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2290/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2543/stat", O_RDONLY)       = -1 EACCES (Permission denied)
open("/proc/2546/stat", O_RDONLY)       = -1 EACCES (Permission denied)

The processes in question are:

  425 /sbin/udevd -d
 1897 cupsd
 1925 /usr/sbin/sshd
 1970 crond
 2016 /usr/sbin/atd
 2262 /usr/sbin/gdm-binary -nodaemon
 2287 /usr/sbin/gdm-binary -nodaemon
 2290 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
 2543 su
 2546 bash

Comment 1 Daniel Walsh 2006-03-04 15:37:55 UTC
This is intended behaviour and part of SELinux with MCS policy.

If you want a user to be able to see these processes you could set them up with
the privs to read them


semanage login -m -r s0-SystemHigh Login

Comment 2 Stephen Smalley 2006-03-10 13:10:08 UTC
I'm not sure that is an intentional behavior for MCS, which is discretionary and
primarily file-oriented.  Likely just an inadvertent side effect of the
constraints on file access, since the attempt to access /proc/pid entries will
look like an attempt to access a file with the categories of that process.
Possibly that constraint should have an exception for t2 == domain, i.e. file
has a domain label thereby implying a proc file? 

Comment 3 Daniel Walsh 2006-03-10 13:24:55 UTC
Fixed in selinux-policy-2.2.23-15


Note You need to log in before you can comment on or make changes to this bug.