Description of problem: Under a custom defined domain, ps returns lots of denied messages ... Version-Release number of selected component (if applicable): How reproducible: Every time. Steps to Reproduce: 1. Create a custom selinux policy 2. Grant wanted rights to the policy 3. Create a confined app to the new domain that will do a simple "ps" 4. Run the application 5. cat /var/log/audit/auditd.log Actual results: Denied Expected results: Not denied, it's PS!!! Additional info: I could turn off auditing for these but if a new context appears, I will have to turn off auditing for that new context too!! Suggestion: Create a context for ps that any domain could transition to and that would be reserved to "ps". IE: initrc_exec_t \-> tomcat_t \-> ps_bin_t \-> unconfined_t Unless we're not trusting "ps", I still feel this is annoyance more than anything. The problem I face is that /proc/myPID/myfiles are labelled according to the domain in which the processes are and my domain isn't allowed to read those files...
Yes, this is on RHEL5 where you need to allow read all domain state.