Bug 787840 (ptraceexe) - SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses on the None /var/spool/postfix/active/1C60C6EC7.
Summary: SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses o...
Keywords:
Status: CLOSED ERRATA
Alias: ptraceexe
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:8c02272b4a0a202c05f45fe61c8...
: 787843 787844 787845 788038 788174 788175 790330 (view as bug list)
Depends On:
Blocks: F17Alpha-accepted, F17AlphaFreezeExcept
TreeView+ depends on / blocked
 
Reported: 2012-02-06 22:02 UTC by Nicolas Mailhot
Modified: 2012-02-21 19:04 UTC (History)
20 users (show)

Fixed In Version: selinux-policy-3.10.0-88.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-21 19:04:10 UTC
Type: ---


Attachments (Terms of Use)
File: description (31.73 KB, text/plain)
2012-02-06 22:02 UTC, Nicolas Mailhot
no flags Details

Description Nicolas Mailhot 2012-02-06 22:02:43 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc2.git4.1.fc17.x86_64
reason:         SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses on the None /var/spool/postfix/active/1C60C6EC7.
time:           lun. 06 févr. 2012 22:54:09 CET

description:    Text file, 32488 bytes

Comment 1 Nicolas Mailhot 2012-02-06 22:02:46 UTC
Created attachment 559763 [details]
File: description

Comment 2 Miroslav Grepl 2012-02-07 09:52:18 UTC
*** Bug 787843 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2012-02-07 09:52:43 UTC
*** Bug 787845 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2012-02-07 10:56:27 UTC
*** Bug 788038 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2012-02-07 11:37:58 UTC
*** Bug 787844 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2012-02-09 08:20:45 UTC
*** Bug 788174 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2012-02-09 08:25:15 UTC
*** Bug 788175 has been marked as a duplicate of this bug. ***

Comment 8 Tobias Florek 2012-02-12 14:20:23 UTC
shouldn't the summary reflect, that this bugs collects all/most/some 'sys_ptrace-is-now-forbidden' bugs?

Comment 9 Daniel Walsh 2012-02-13 22:18:54 UTC
Well this is really not related to that issue. These are being caused because the kernel is requiring sys_ptrace access for any process that tries to read the link file /proc/PID/exe, where the PID is not the same as the process trying to read it.

This link points to the path of the executable used to start the process.  I believe that the kernel should be requiring DAC_READ_SEARCH and not SYS_PTRACE for this access.

Comment 10 Adam Williamson 2012-02-14 18:38:45 UTC
Proposing this as NTH for Alpha: it'll cause massive AVC spam and -88 fixes it but missed the freeze. Basically any time something writes to syslog you'll get an AVC, according to dwalsh. So if we don't fix this we might wind up with a lot of annoying dupes filed from Alpha.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 11 Tim Flink 2012-02-14 18:48:40 UTC
+1 NTH

Comment 12 Robyn Bergeron 2012-02-14 19:05:42 UTC
+1 NTH

Comment 13 d. johnson 2012-02-14 19:11:36 UTC
+1 NTH

This does not backout https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

Comment 14 Adam Williamson 2012-02-14 19:35:13 UTC
three +1s, plus me: accepting as NTH.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 15 Daniel Walsh 2012-02-14 19:40:26 UTC
*** Bug 790330 has been marked as a duplicate of this bug. ***

Comment 16 Daniel Walsh 2012-02-14 20:30:52 UTC
+1 NTH

This does not backout https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

No I will blog on this soon.

My current understanding of sys_ptrace is ...

If any process tries to look at information about a process with a different UID inside of the /proc file system, it will require sys_ptrace access.  (Although not all fields are protected by it.)  If you tried to actually look at the memory information about a different process, this requires ptrace.

So any process that will be running as root and expect the ps/killall/pidof type commands to work will need the sys_ptrace capability.

From an SELinux point of view this is 

allow X_t self:capability sys_ptrace;

If a process wants to also examine/modify the memory of any other process other then its own process (/proc/self)  this will require the process ptrace access.

allow X_t Y_t:process ptrace;
or 
allow X_t self:process ptrace;

This means we can block all ptrace, but blocking sys_ptrace is impractical.

What is strange, is up until the latest kernels, I did not see this issue.

Comment 17 Jóhann B. Guðmundsson 2012-02-15 21:11:18 UTC
+1 NTH

Comment 18 Adam Williamson 2012-02-16 02:05:15 UTC
Fix looks good in RC2, I see no sys_ptrace denials on boot. When I did a network install (so got the older selinux-policy), I saw a ton. So setting VERIFIED, we still need to push -88 to stable.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 19 Adam Williamson 2012-02-21 19:04:10 UTC
-89 went stable, so we can close this now.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers


Note You need to log in before you can comment on or make changes to this bug.