SELinux and /proc
Ron Yorston
rmy at tigress.co.uk
Mon Mar 6 11:59:39 UTC 2006
Testing FC5T3 the other week I wanted to find the arguments that
gdm had used when it started Xnest, so I ran:
ps ax | grep Xnest
This didn't produce the expected response. On further investigation
I found that several processes weren't being listed by 'ps ax' when
run as an ordinary user but were when run as root. Running ps under
strace showed that it was failing to open files in /proc. This was
clearly an SELinux issue, as rebooting with enforcing=0 made the
problem go away.
I raised this in bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183387
but the report has been closed as NOTABUG with the response:
This is intended behaviour and part of SELinux with MCS policy.
I'd like this to be reconsidered. I don't think that the targeted
policy should break such long-standing Unix conventions as the
behaviour of 'ps ax'. It's perfectly obvious to a user when they're
running an X server, so having ps or top pretend that they're not
doesn't seem very helpful.
Ron
More information about the selinux
mailing list