Red Hat Bugzilla – Bug 806475
under a custom defined domain, ps returns lots of denied messages
Last modified: 2012-03-26 06:41:09 EDT
Description of problem:
Under a custom defined domain, ps returns lots of denied messages ...
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a custom selinux policy
2. Grant wanted rights to the policy
3. Create a confined app to the new domain that will do a simple "ps"
4. Run the application
5. cat /var/log/audit/auditd.log
Not denied, it's PS!!!
I could turn off auditing for these but if a new context appears, I will have to turn off auditing for that new context too!!
Create a context for ps that any domain could transition to and that would be reserved to "ps".
Unless we're not trusting "ps", I still feel this is annoyance more than anything.
The problem I face is that /proc/myPID/myfiles are labelled according to the domain in which the processes are and my domain isn't allowed to read those files...
Yes, this is on RHEL5 where you need to allow read all domain state.