Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 806475 - under a custom defined domain, ps returns lots of denied messages
Summary: under a custom defined domain, ps returns lots of denied messages
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.8
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-23 21:39 UTC by David Hill
Modified: 2012-03-26 10:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-26 10:41:09 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description David Hill 2012-03-23 21:39:00 UTC
Description of problem:
Under a custom defined domain, ps returns lots of denied messages ...

Version-Release number of selected component (if applicable):


How reproducible:
Every time.

Steps to Reproduce:
1. Create a custom selinux policy
2. Grant wanted rights to the policy
3. Create a confined app to the new domain that will do a simple "ps" 
4. Run the application
5. cat /var/log/audit/auditd.log
  
Actual results:
Denied


Expected results:
Not denied, it's PS!!!


Additional info:
I could turn off auditing for these but if a new context appears, I will have to turn off auditing for that new context too!!

Suggestion:
Create a context for ps that any domain could transition to and that would be reserved to "ps".

IE:

initrc_exec_t
\-> tomcat_t
  \-> ps_bin_t
     \-> unconfined_t

Unless we're not trusting "ps", I still feel this is annoyance more than anything.

The problem I face is that /proc/myPID/myfiles are labelled according to the domain in which the processes are and my domain isn't allowed to read those files...

Comment 1 Miroslav Grepl 2012-03-26 10:41:09 UTC
Yes, this is on RHEL5 where you need to allow read all domain state.


Note You need to log in before you can comment on or make changes to this bug.