Bug 344431 - SELinux denies /usr/bin/Xorg (xdm_xserver_t) "getattr" to /proc/5452/cmdline (unconfined_t)
SELinux denies /usr/bin/Xorg (xdm_xserver_t) "getattr" to /proc/5452/cmdline ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 344421 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-21 08:53 EDT by Julian Sikorski
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 3.0.8-56.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-21 17:54:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Julian Sikorski 2007-10-21 08:53:34 EDT
Description of problem:
As promised, I am opening a separate bug report for that:

avc: denied { getattr } for comm=X dev=proc egid=0 euid=0 exe=/usr/bin/Xorg
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=5452 path=/proc/5452/cmdline pid=4039
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:system_r:unconfined_t:s0 tty=tty7 uid=0

The number after proc changes, and also /usr/bin/Xorg (xdm_xserver_t) is
replaced with X (xdm_xserver_t). I am happy to provide more info if necessary.
Note that I am running nvidia binary driver, but I don't know it it is related.

Version-Release number of selected component (if applicable):
3.0.8-28.fc8
Comment 1 Adam Jackson 2007-10-22 09:36:56 EDT
It would be nice to know what pid 5452 is; if you can reproduce this, what
process is it trying to read the command line for?

But I'm pretty sure this is something in the nvidia driver, nothing in plain X
looks at /proc/*/cmdline that I know of.
Comment 2 Daniel Walsh 2007-10-22 09:44:53 EDT
Allowed in 3.0.8-29.fc8
Comment 3 Daniel Walsh 2007-10-22 09:45:29 EDT
*** Bug 344421 has been marked as a duplicate of this bug. ***
Comment 4 Julian Sikorski 2007-10-22 09:51:20 EDT
Huh? Are these two really the same? I mean, the audit messages are different:
getattr to cmdline, and search to unknown.
Comment 5 Daniel Walsh 2007-10-22 11:17:35 EDT
well yes, the firstone is trying to read the directory and the second one the
file.  So from my perspective we need to figure out wheter we want X to be able
to read /proc/USER/*

Comment 6 Julian Sikorski 2007-10-22 11:22:48 EDT
Thanks for clarification.
Comment 7 Julian Sikorski 2007-10-24 13:13:25 EDT
Hmm, still present in 3.0.8-30.fc8. Maybe I need a relabel? Anyway, I'm going to
try to figure out what the pid means, but this is kind of hard. This is because
as short as 2 minutes after the SELinux denial pidof returns nothing. If the
program is causing the denial on exit, we may never know.
Comment 8 Daniel Walsh 2007-10-24 14:06:43 EDT
That is because I lied.  Try 3.0.8-32.fc8
Comment 9 Julian Sikorski 2007-10-26 11:50:36 EDT
Hmm, denial still present. I'll run a relabel, just in case.
Comment 10 Julian Sikorski 2007-10-27 04:59:21 EDT
Relabel did not help.
Comment 11 Daniel Walsh 2007-11-19 10:57:19 EST
Fixed in selinux-policy-3.0.8-56.fc8

Note You need to log in before you can comment on or make changes to this bug.