On 18/07/08 14:54, Christopher J. PeBenito wrote:
> On Wed, 2008-06-25 at 17:31 +0100, Martin Orr wrote:
>> Some dpkg maintainer scripts run pidof, which needs the sys_ptrace capability.
>>
>> Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc: denied {
>> sys_ptrace } for pid=4214 comm="pidof" capability=19
>> scontext=system_u:system_r:dpkg_script_t:s0
>> tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability
>
> Seems odd, since the ptrace process permission is not allowed. Does it
> work without this in enforcing?
It comes from trying to stat /proc/*/exe - proc_pid_readlink always checks
ptrace access. It would indeed be strange if pidof really wanted to ptrace
anything.
Best wishes,
--
Martin Orr
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
