Bug 806475 - under a custom defined domain, ps returns lots of denied messages
under a custom defined domain, ps returns lots of denied messages
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.8
All Linux
unspecified Severity low
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-23 17:39 EDT by David Hill
Modified: 2012-03-26 06:41 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-26 06:41:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Hill 2012-03-23 17:39:00 EDT
Description of problem:
Under a custom defined domain, ps returns lots of denied messages ...

Version-Release number of selected component (if applicable):


How reproducible:
Every time.

Steps to Reproduce:
1. Create a custom selinux policy
2. Grant wanted rights to the policy
3. Create a confined app to the new domain that will do a simple "ps" 
4. Run the application
5. cat /var/log/audit/auditd.log
  
Actual results:
Denied


Expected results:
Not denied, it's PS!!!


Additional info:
I could turn off auditing for these but if a new context appears, I will have to turn off auditing for that new context too!!

Suggestion:
Create a context for ps that any domain could transition to and that would be reserved to "ps".

IE:

initrc_exec_t
\-> tomcat_t
  \-> ps_bin_t
     \-> unconfined_t

Unless we're not trusting "ps", I still feel this is annoyance more than anything.

The problem I face is that /proc/myPID/myfiles are labelled according to the domain in which the processes are and my domain isn't allowed to read those files...
Comment 1 Miroslav Grepl 2012-03-26 06:41:09 EDT
Yes, this is on RHEL5 where you need to allow read all domain state.

Note You need to log in before you can comment on or make changes to this bug.