Description of problem: As promised, I am opening a separate bug report for that: avc: denied { getattr } for comm=X dev=proc egid=0 euid=0 exe=/usr/bin/Xorg exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=5452 path=/proc/5452/cmdline pid=4039 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:system_r:unconfined_t:s0 tty=tty7 uid=0 The number after proc changes, and also /usr/bin/Xorg (xdm_xserver_t) is replaced with X (xdm_xserver_t). I am happy to provide more info if necessary. Note that I am running nvidia binary driver, but I don't know it it is related. Version-Release number of selected component (if applicable): 3.0.8-28.fc8
It would be nice to know what pid 5452 is; if you can reproduce this, what process is it trying to read the command line for? But I'm pretty sure this is something in the nvidia driver, nothing in plain X looks at /proc/*/cmdline that I know of.
Allowed in 3.0.8-29.fc8
*** Bug 344421 has been marked as a duplicate of this bug. ***
Huh? Are these two really the same? I mean, the audit messages are different: getattr to cmdline, and search to unknown.
well yes, the firstone is trying to read the directory and the second one the file. So from my perspective we need to figure out wheter we want X to be able to read /proc/USER/*
Thanks for clarification.
Hmm, still present in 3.0.8-30.fc8. Maybe I need a relabel? Anyway, I'm going to try to figure out what the pid means, but this is kind of hard. This is because as short as 2 minutes after the SELinux denial pidof returns nothing. If the program is causing the denial on exit, we may never know.
That is because I lied. Try 3.0.8-32.fc8
Hmm, denial still present. I'll run a relabel, just in case.
Relabel did not help.
Fixed in selinux-policy-3.0.8-56.fc8