Bug 787840 - (ptraceexe) SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses on the None /var/spool/postfix/active/1C60C6EC7.
SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses o...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
abrt_hash:8c02272b4a0a202c05f45fe61c8...
:
: 787843 787844 787845 788038 788174 788175 790330 (view as bug list)
Depends On:
Blocks: F17Alpha-accepted/F17AlphaFreezeExcept
  Show dependency treegraph
 
Reported: 2012-02-06 17:02 EST by Nicolas Mailhot
Modified: 2012-02-21 14:04 EST (History)
20 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-88.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 14:04:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: description (31.73 KB, text/plain)
2012-02-06 17:02 EST, Nicolas Mailhot
no flags Details

  None (edit)
Description Nicolas Mailhot 2012-02-06 17:02:43 EST
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc2.git4.1.fc17.x86_64
reason:         SELinux is preventing /usr/libexec/postfix/local from 'sys_ptrace' accesses on the None /var/spool/postfix/active/1C60C6EC7.
time:           lun. 06 févr. 2012 22:54:09 CET

description:    Text file, 32488 bytes
Comment 1 Nicolas Mailhot 2012-02-06 17:02:46 EST
Created attachment 559763 [details]
File: description
Comment 2 Miroslav Grepl 2012-02-07 04:52:18 EST
*** Bug 787843 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2012-02-07 04:52:43 EST
*** Bug 787845 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2012-02-07 05:56:27 EST
*** Bug 788038 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2012-02-07 06:37:58 EST
*** Bug 787844 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2012-02-09 03:20:45 EST
*** Bug 788174 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2012-02-09 03:25:15 EST
*** Bug 788175 has been marked as a duplicate of this bug. ***
Comment 8 Tobias Florek 2012-02-12 09:20:23 EST
shouldn't the summary reflect, that this bugs collects all/most/some 'sys_ptrace-is-now-forbidden' bugs?
Comment 9 Daniel Walsh 2012-02-13 17:18:54 EST
Well this is really not related to that issue. These are being caused because the kernel is requiring sys_ptrace access for any process that tries to read the link file /proc/PID/exe, where the PID is not the same as the process trying to read it.

This link points to the path of the executable used to start the process.  I believe that the kernel should be requiring DAC_READ_SEARCH and not SYS_PTRACE for this access.
Comment 10 Adam Williamson 2012-02-14 13:38:45 EST
Proposing this as NTH for Alpha: it'll cause massive AVC spam and -88 fixes it but missed the freeze. Basically any time something writes to syslog you'll get an AVC, according to dwalsh. So if we don't fix this we might wind up with a lot of annoying dupes filed from Alpha.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 11 Tim Flink 2012-02-14 13:48:40 EST
+1 NTH
Comment 12 Robyn Bergeron 2012-02-14 14:05:42 EST
+1 NTH
Comment 13 d. johnson 2012-02-14 14:11:36 EST
+1 NTH

This does not backout https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace
Comment 14 Adam Williamson 2012-02-14 14:35:13 EST
three +1s, plus me: accepting as NTH.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 15 Daniel Walsh 2012-02-14 14:40:26 EST
*** Bug 790330 has been marked as a duplicate of this bug. ***
Comment 16 Daniel Walsh 2012-02-14 15:30:52 EST
+1 NTH

This does not backout https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

No I will blog on this soon.

My current understanding of sys_ptrace is ...

If any process tries to look at information about a process with a different UID inside of the /proc file system, it will require sys_ptrace access.  (Although not all fields are protected by it.)  If you tried to actually look at the memory information about a different process, this requires ptrace.

So any process that will be running as root and expect the ps/killall/pidof type commands to work will need the sys_ptrace capability.

From an SELinux point of view this is 

allow X_t self:capability sys_ptrace;

If a process wants to also examine/modify the memory of any other process other then its own process (/proc/self)  this will require the process ptrace access.

allow X_t Y_t:process ptrace;
or 
allow X_t self:process ptrace;

This means we can block all ptrace, but blocking sys_ptrace is impractical.

What is strange, is up until the latest kernels, I did not see this issue.
Comment 17 Jóhann B. Guðmundsson 2012-02-15 16:11:18 EST
+1 NTH
Comment 18 Adam Williamson 2012-02-15 21:05:15 EST
Fix looks good in RC2, I see no sys_ptrace denials on boot. When I did a network install (so got the older selinux-policy), I saw a ton. So setting VERIFIED, we still need to push -88 to stable.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 19 Adam Williamson 2012-02-21 14:04:10 EST
-89 went stable, so we can close this now.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Note You need to log in before you can comment on or make changes to this bug.