This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 810973 - We need to patch ltrace for potential SELinux breakage.
We need to patch ltrace for potential SELinux breakage.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: ltrace (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Machata
Fedora Extras Quality Assurance
: FutureFeature
Depends On: 802072
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-09 14:56 EDT by Niels de Vos
Modified: 2015-05-04 21:36 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 786876
Environment:
Last Closed: 2012-05-26 03:16:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Niels de Vos 2012-04-09 14:56:10 EDT
+++ This bug was initially created as a clone of Bug #786876 +++

New feature coming in Fedora 17  will allow users to disable ptrace and sys_ptrace access on an SELinux system.

http://danwalsh.livejournal.com/49336.html

Talks about this and demonstrates it.

$ ltrace id
PTRACE_TRACEME: Permission denied
PTRACE_SETOPTIONS: No such process

It has been suggested that we should probably print something about SELinux potentially blocking this access.

gdb does the following (see Bug 786878):

$ gdb -ex r -ex q --quiet /usr/bin/id
Reading symbols from /usr/bin/id...Reading symbols from /usr/lib/debug/usr/bin/id.debug...done.
done.
Starting program: /usr/bin/id 
Cannot create process: Permission denied
warning: the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0
During startup program exited with code 127.


Note that Bug 802072 contains a discussion if PTRACE_TRACEME should be allowed by default, or if only PTRACE_ATTACH should rely on the SElinux boolean deny_ptrace. A final implementation in ltrace should probably wait on the results of that discussion.
Comment 1 Petr Machata 2012-04-10 17:09:14 EDT
Thanks, the code linked in bug 786878 is exactly what I need.  That discussion at that other bug seems less than lively, so I'll just roll out what I have now.  The worst that can happen is that there is one extra call on an error path that never hits anyway.  I added a patch to upstream and will port it to F17 shortly.
Comment 2 Fedora Update System 2012-04-10 17:26:01 EDT
ltrace-0.6.0-6.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ltrace-0.6.0-6.fc17
Comment 3 Niels de Vos 2012-04-11 06:27:56 EDT
Thanks for the swift update!

These are the results from my testing. There is no mentioning of SElinux in the error message, is this the expected behaviour?

[root@f17-20120406 tmp]# rpm -q ltrace
ltrace-0.6.0-6.fc17.x86_64
[root@f17-20120406 tmp]# ltrace -p $(pidof systemd)
Cannot attach to pid 1: Permission denied
[root@f17-20120406 tmp]# ltrace /usr/bin/id
PTRACE_TRACEME: Permission denied
I consistently fail to read a word from the freshly launched process.
I'll now try to proceed with tracing, but this shouldn't be happening.
PTRACE_SETOPTIONS: No such process
+++ exited (status 1) +++
Comment 4 Petr Machata 2012-04-11 06:47:22 EDT
D'oh, of course not, I forgot to add libselinux-devel to BR.
Comment 5 Petr Machata 2012-04-11 07:03:15 EDT
... _and_ forgot to patch configure itself (only configure.ac).  That's them swift updates.
Comment 6 Petr Machata 2012-04-11 07:53:02 EDT
I edited the bodhi update request with a new build, ltrace-0.6.0-7.fc17
Comment 7 Niels de Vos 2012-04-11 09:36:17 EDT
Old behaviour:
[root@f17-20120406 tmp]# rpm -q ltrace
ltrace-0.6.0-4.fc17.x86_64
[root@f17-20120406 tmp]# ltrace /usr/bin/id
PTRACE_TRACEME: Permission denied
PTRACE_SETOPTIONS: No such process
[root@f17-20120406 tmp]# ltrace -p $(pidof systemd)
Cannot attach to pid 1: Permission denied

New behaviour:
[root@f17-20120406 tmp]# rpm -Uvh ltrace-0.6.0-7.fc17.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:ltrace                 ########################################### [100%]
[root@f17-20120406 tmp]# ltrace /usr/bin/id
PTRACE_TRACEME: Permission denied
The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from
tracing other processes.  You can disable this process attach protection by
issuing 'setsebool deny_ptrace=0' in the superuser context.
I consistently fail to read a word from the freshly launched process.
I'll now try to proceed with tracing, but this shouldn't be happening.
PTRACE_SETOPTIONS: No such process
+++ exited (status 1) +++
[root@f17-20120406 tmp]# ltrace -p $(pidof systemd)
Cannot attach to pid 1: Permission denied
The SELinux boolean 'deny_ptrace' is enabled, which may prevent ltrace from
tracing other processes.  You can disable this process attach protection by
issuing 'setsebool deny_ptrace=0' in the superuser context.


Thanks again!
Comment 8 Fedora Update System 2012-05-03 15:16:22 EDT
ltrace-0.6.0-11.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ltrace-0.6.0-11.fc17
Comment 9 Fedora Update System 2012-05-26 03:16:04 EDT
ltrace-0.6.0-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.