Hmmmm...... The permission on /proc/self/mem is 0600 with the owner being the process username and its group. In checking Centos 6.8 and 7.2 and Fedora 24 all with current patching, I find that I cannot read /proc/self/mem by either the owner (me) or root for any process. But interestingly I can write to it but do not understand the ramifications of that action. I am running targeted / enforcing SELinux on all three but I see no avc problems in the audit.log for the read. I am wondering what the use case for writing to /proc/self/mem is? ***** ***** ***** Michael D. Parker General Atomics - EMS Michael.d.parker@xxxxxx <<<<< NOTE: Remember to include my middle initial >>>>> +1 858 964 6675 / Office 86-1319 16969 Mesamint Street / San Diego / CA / 92127 ************************************************************************ CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the person(s) to whom it is addressed. If you are not the intended recipient or the agent of the intended recipient or if you are unable to deliver this communication to the intended recipient, you must not read, use or disseminate this information. If you have received this communication in error,please advise the sender immediately by telephone and delete this messageand any attachments without retaining a copy. ************************************************************************* -----Original Message----- From: Selinux [mailto:selinux-bounces@xxxxxxxxxxxxx] On Behalf Of Daniel J Walsh Sent: Monday, August 08, 2016 10:42 AM To: SELinux <selinux@xxxxxxxxxxxxx> Subject: --EXTERNAL--Any way to label /proc/self/mem with a different type then the process type. I have been requested by some container people to make this only readable not writable to prevent certain types of attacks on the kernel. No idea if this is a good idea or not. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
