Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 444962

Summary: ~amd64/selinux-9999 htop using getsched on firefox (mozilla_t)
Product: Gentoo Linux Reporter: Amadeusz Sławiński <amade>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r9
Package list:
Runtime testing required: ---

Description Amadeusz Sławiński 2012-11-27 17:48:08 UTC 
I've got more than 300 of them since boot (since they seem to happen in groups):
Nov 27 11:28:15 lain kernel: [ 4469.036566] type=1400 audit(1354012095.736:973): avc:  denied  { getsched } for  pid=4048 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process

all logs from htop

Enforcing:
Nov 27 18:45:29 lain kernel: [30651.241360] type=1400 audit(1354038329.911:5052): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.241475] type=1400 audit(1354038329.911:5053): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.241584] type=1400 audit(1354038329.911:5054): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.241691] type=1400 audit(1354038329.911:5055): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.241798] type=1400 audit(1354038329.911:5056): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.241904] type=1400 audit(1354038329.911:5057): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.242011] type=1400 audit(1354038329.911:5058): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.242138] type=1400 audit(1354038329.912:5059): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:45:29 lain kernel: [30651.242265] type=1400 audit(1354038329.912:5060): avc:  denied  { getsched } for  pid=14930 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process

Permissive:
Nov 27 18:44:36 lain kernel: [30598.357445] type=1400 audit(1354038276.922:5045): avc:  denied  { getsched } for  pid=14891 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Nov 27 18:44:36 lain kernel: [30598.364815] type=1400 audit(1354038276.929:5046): avc:  denied  { getsched } for  pid=14891 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mutt_t tclass=process
Nov 27 18:44:36 lain kernel: [30598.364987] type=1400 audit(1354038276.929:5047): avc:  denied  { read } for  pid=14891 comm="htop" name="task" dev="proc" ino=3054784 scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_plugin_t tclass=dir
Nov 27 18:44:36 lain kernel: [30598.364997] type=1400 audit(1354038276.929:5048): avc:  denied  { open } for  pid=14891 comm="htop" path="/proc/14575/task" dev="proc" ino=3054784 scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_plugin_t tclass=dir
Nov 27 18:44:36 lain kernel: [30598.365034] type=1400 audit(1354038276.929:5049): avc:  denied  { getattr } for  pid=14891 comm="htop" path="/proc/14575/task/14579/statm" dev="proc" ino=3054792 scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_plugin_t tclass=file
Nov 27 18:44:36 lain kernel: [30598.365163] type=1400 audit(1354038276.930:5050): avc:  denied  { getsched } for  pid=14891 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_plugin_t tclass=process


Reproducible: Always




Portage 2.1.11.31 (hardened/linux/amd64/no-multilib/selinux, gcc-4.6.3, glibc-2.16.0, 3.6.7-hardened x86_64)
=================================================================
System uname: Linux-3.6.7-hardened-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.2
Timestamp of tree: Sun, 25 Nov 2012 22:00:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
app-shells/bash:          4.2_p39
dev-lang/python:          2.7.3-r2, 3.2.3-r1
dev-util/cmake:           2.8.9-r1
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.5
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.5
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.16.0
Repositories: gentoo x11 hardened-dev my_local_overlay
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 PUEL skype-4.0.0.7-copyright google-talkplugin"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O3 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_GB pl"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/x11 /var/lib/layman/hardened-development /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acpi alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cups cxx dri dvd gdbm gif gpm hardened iconv icu ipv6 jpeg justify mmx mng modules mp3 mudflap ncurses nls nptl open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 sse4_1 sse4_2 ssl ssse3 tcpd tiff udev unicode urandom usb v4l vaapi vim-syntax wacom wifi xft xinerama xtpax zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB pl" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="x86_64 ppc" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Amadeusz Sławiński 2012-11-27 17:52:47 UTC 
One more thing, htop seems to run just fine, it's just filling up logs each time when I start it.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-07 18:10:47 UTC 
Yes, I also couldn't find a different behavior when allowing or denying it (also, it's just with the ~arch htop currently).

I've added in dontaudits for the user domains.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-07 18:10:58 UTC 
Is in repo, will be in rev 9
Comment 4 Amadeusz Sławiński 2012-12-09 10:46:59 UTC 
I'm still getting those with -9999

Dec  9 11:38:19 lain kernel: [ 2524.838821] type=1400 audit(1355049499.985:40477): avc:  denied  { getsched } for  pid=2365 comm="htop" scontext=staff_u:staff_r:staff_t tcontext=staff_u:staff_r:mozilla_t tclass=process
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-09 13:42:39 UTC 
Did you rebuild selinux-base and selinux-base-policy?

And did you re-enable the dontaudits?
Comment 6 Amadeusz Sławiński 2012-12-09 14:03:36 UTC 
Ah dontaudit's... sorry for the noise
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-17 18:54:24 UTC 
r9 in hardened-dev overlay
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-21 20:53:23 UTC 
r9 in main repo, ~arch'ed
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-19 21:19:01 UTC 
Forgot to mention... stabilized a while ago ;)