Bug 508070 - SELinux is preventing ps (dhcpc_t) "sys_ptrace" dhcpc_t.
Summary: SELinux is preventing ps (dhcpc_t) "sys_ptrace" dhcpc_t.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2009-06-25 13:35 UTC by Frank Middleton
Modified: 2009-11-18 13:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-11-18 13:00:51 UTC
Type: ---

Attachments (Terms of Use)

Description Frank Middleton 2009-06-25 13:35:16 UTC
Description of problem:

Filing this because it asked me to. It does not seem to have any real impact.

[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux denied access requested by ps. It is not expected that this access is required by ps and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 

You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

Version-Release number of selected component (if applicable):

How reproducible:

Every time

Steps to Reproduce:
1. Type "dhclient" from the command line with no parameters
Actual results:

Troubleshooter pops up

Expected results:

No troubleshooter popup

Additional info:

Source Context:  unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context:  unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Objects:  None [ capability ]
Source:  ps
Source Path:  /bin/psPort:  <Unknown>
Host:  apogee10.apogeect.com
Source RPM Packages:  procps-3.2.7-23.fc10
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-61.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  catchall
Host Name:  apogee10.apogeect.com
Platform:  Linux apogee10.apogeect.com #1 SMP Wed May 20 22:47:23 EDT 2009 x86_64 x86_64
Alert Count:  14
First Seen:  Sat 13 Jun 2009 04:18:45 PM EDT
Last Seen:  Thu 25 Jun 2009 09:02:45 AM EDT
Local ID:  98c122fd-9bdb-4c5a-8fcb-574ed2267701
Line Numbers:  

Raw Audit Messages :

node=apogee10.apogeect.com type=AVC msg=audit(1245934965.118:83): avc: denied { sys_ptrace } for pid=7132 comm="ps" capability=19 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=capability 

node=apogee10.apogeect.com type=SYSCALL msg=audit(1245934965.118:83): arch=c000003e syscall=0 success=yes exit=256 a0=5 a1=38a4010be0 a2=3ff a3=0 items=0 ppid=7131 pid=7132 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)

Comment 1 David Cantrell 2009-06-27 01:31:55 UTC
I'm not seeing this problem on F-11, and I haven't changed the ps line in dhclient-script since F-10.  So my guess is the selinux policies for the system have been updated to allow the operation your are seeing the alert for.

dwalsh, can you help me out here?  I'm not seeing this SELinux message on F-11, so my guess is the policy changed to allow the ps command that runs from dhclient-script to work.

Comment 2 Miroslav Grepl 2009-06-29 10:04:32 UTC
Fixed in selinux-policy-3.5.13-65.fc10

Comment 3 Daniel Walsh 2009-06-29 12:42:44 UTC
David, you can always look for the access within SELinux using sesearch.

# sesearch --allow --dontaudit -s dhcpc_t -p sys_ptrace
Found 1 semantic av rules:
   dontaudit dhcpc_t dhcpc_t : capability { dac_read_search sys_module sys_ptrace sys_tty_config } ; 

Or if you run the AVC trough audit2why it would tell you

# audit2why -i /tmp/t
node=apogee10.apogeect.com type=AVC msg=audit(1245934965.118:83): avc: denied { sys_ptrace } for pid=7132 comm="ps" capability=19 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=capability 

	Was caused by:
		Unknown - should be dontaudit'd by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

Comment 4 Bug Zapper 2009-11-18 12:53:41 UTC
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Comment 5 Daniel Walsh 2009-11-18 13:00:51 UTC
Closing as current release

Note You need to log in before you can comment on or make changes to this bug.