Bug 431221 - Root can't write to /proc/*/{oom_adj,sched}
Root can't write to /proc/*/{oom_adj,sched}
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-01 10:56 EST by Michal Schmidt
Modified: 2008-03-05 17:17 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-05 17:17:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Schmidt 2008-02-01 10:56:23 EST
Description of problem:
Root is denied write access to files in /proc/<pid>/ which should be writable 
by him, even from an unconfined_t shell.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-81.fc8.noarch
selinux-policy-targeted-3.0.8-81.fc8.noarch
kernel-2.6.23.14-107.fc8.x86_64

How reproducible:

Steps to Reproduce:
Login as root. Let's choose a confined process, e.g. hald.:
# cd /proc/$(/sbin/pidof hald)
# ls -l oom_adj
-rw-r--r-- 1 root root 0 Feb  1 16:12 oom_adj
# echo 1 > oom_adj 
bash: oom_adj: Permission denied


Actual results:
Write access is denied, an AVC message is generated:

avc: denied { write } for comm=bash dev=proc egid=0 euid=0 exe=/bin/bash 
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=oom_adj pid=5920 
scontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 
subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file 
tcontext=system_u:system_r:hald_t:s0 tty=pts3 uid=0


Expected results:
Root should be allowed to tune the processes' writable parameters 
in /proc/<pid>/

Additional info:
The bug prevents the latencytop utility from working correctly with SELinux in 
enforcing mode (latencytop is going through package review: 
https://bugzilla.redhat.com/show_bug.cgi?id=431047 ).
Comment 1 Daniel Walsh 2008-02-02 00:12:01 EST
Fixed in selinux-policy-3.0.8-84.fc8
Comment 2 Daniel Walsh 2008-03-05 17:17:26 EST
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.