+++ This bug was initially created as a clone of Bug #786876 +++ New feature coming in Fedora 17 will allow users to disable ptrace and sys_ptrace access on an SELinux system. http://danwalsh.livejournal.com/49336.html Talks about this and demonstrates it. $ ltrace id PTRACE_TRACEME: Permission denied PTRACE_SETOPTIONS: No such process It has been suggested that we should probably print something about SELinux potentially blocking this access. gdb does the following (see Bug 786878): $ gdb -ex r -ex q --quiet /usr/bin/id Reading symbols from /usr/bin/id...Reading symbols from /usr/lib/debug/usr/bin/id.debug...done. done. Starting program: /usr/bin/id Cannot create process: Permission denied warning: the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0 During startup program exited with code 127. Note that Bug 802072 contains a discussion if PTRACE_TRACEME should be allowed by default, or if only PTRACE_ATTACH should rely on the SElinux boolean deny_ptrace. A final implementation in ltrace should probably wait on the results of that discussion.
Thanks, the code linked in bug 786878 is exactly what I need. That discussion at that other bug seems less than lively, so I'll just roll out what I have now. The worst that can happen is that there is one extra call on an error path that never hits anyway. I added a patch to upstream and will port it to F17 shortly.
ltrace-0.6.0-6.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ltrace-0.6.0-6.fc17
Thanks for the swift update! These are the results from my testing. There is no mentioning of SElinux in the error message, is this the expected behaviour? [root@f17-20120406 tmp]# rpm -q ltrace ltrace-0.6.0-6.fc17.x86_64 [root@f17-20120406 tmp]# ltrace -p $(pidof systemd) Cannot attach to pid 1: Permission denied [root@f17-20120406 tmp]# ltrace /usr/bin/id PTRACE_TRACEME: Permission denied I consistently fail to read a word from the freshly launched process. I'll now try to proceed with tracing, but this shouldn't be happening. PTRACE_SETOPTIONS: No such process +++ exited (status 1) +++
D'oh, of course not, I forgot to add libselinux-devel to BR.
... _and_ forgot to patch configure itself (only configure.ac). That's them swift updates.
I edited the bodhi update request with a new build, ltrace-0.6.0-7.fc17
Old behaviour: [root@f17-20120406 tmp]# rpm -q ltrace ltrace-0.6.0-4.fc17.x86_64 [root@f17-20120406 tmp]# ltrace /usr/bin/id PTRACE_TRACEME: Permission denied PTRACE_SETOPTIONS: No such process [root@f17-20120406 tmp]# ltrace -p $(pidof systemd) Cannot attach to pid 1: Permission denied New behaviour: [root@f17-20120406 tmp]# rpm -Uvh ltrace-0.6.0-7.fc17.x86_64.rpm Preparing... ########################################### [100%] 1:ltrace ########################################### [100%] [root@f17-20120406 tmp]# ltrace /usr/bin/id PTRACE_TRACEME: Permission denied The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from tracing other processes. You can disable this process attach protection by issuing 'setsebool deny_ptrace=0' in the superuser context. I consistently fail to read a word from the freshly launched process. I'll now try to proceed with tracing, but this shouldn't be happening. PTRACE_SETOPTIONS: No such process +++ exited (status 1) +++ [root@f17-20120406 tmp]# ltrace -p $(pidof systemd) Cannot attach to pid 1: Permission denied The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from tracing other processes. You can disable this process attach protection by issuing 'setsebool deny_ptrace=0' in the superuser context. Thanks again!
ltrace-0.6.0-11.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ltrace-0.6.0-11.fc17
ltrace-0.6.0-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.