Red Hat Bugzilla – Bug 200083
readlink of executables causing ptrace SELinux access check to fire
Last modified: 2007-11-30 17:11:38 EST
Description of problem:
The pidof command is doing a readlink of exe files which is causing AVC denials
type=SYSCALL msg=audit(1153832702.855:6379): arch=40000003 syscall=85 success=no
exit=-13 a0=bfbecd48 a1=9f0aea0 a2=1000 a3=9f08d40 items=1 ppid=9118 pid=9122
auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
comm="pidof" exe="/sbin/killall5" subj=user_u:system_r:initrc_t:s0 key=(null)
You can also get this same behaviour with the readlink command on the
This is causing lots of AVC messages during boot and will happen when a normal
user becomes root using su, and does a pidof command.
pidof should not try to ptrace applications.
proc uses ptrace checking as a way of controlling access to process private state.
There were some changes upstream in recent kernels in this area, e.g. see:
SELinux is just applying ptrace checks consistently with the core kernel here.
So should these be dontaudited? Allowed?
You'd have to allow it if you wanted the caller to be able to find the process
id of a given program via pidof. Naturally, you'd only do that for privileged
Ok, so I guess this is not a bug. Updated policy.