#24 fuser cannot stat() fd directory with SElinux

[Anonymous]

Hi..

On Fedora 5 with SElinux, typing 'fuser /some/file' gives a screen-full of error messages:

...
Cannot stat file /proc/27571/fd/10: Permission denied
Cannot stat file /proc/27590/fd/0: Permission denied
Cannot stat file /proc/27590/fd/1: Permission denied
Cannot stat file /proc/27590/fd/2: Permission denied
Cannot stat file /proc/27590/fd/3: Permission denied
Cannot stat file /proc/27590/fd/4: Permission denied
Cannot stat file /proc/27590/fd/5: Permission denied
Cannot stat file /proc/31521/fd/0: Permission denied
Cannot stat file /proc/31521/fd/1: Permission denied
...

followed by the normal (correct?) output.

If I type 'setenforce 0', the error messages go away.

My usual solution (using audit2allow) isn't helping, as there are no messages showing up in /var/log/audit/audit.log relating to this.

Thanks!

kernel-[0]-pkts.ca

[Craig Small]

Logged In: YES
user_id=21630
Originator: NO

Hello,
Can you tell me if you should be able to stat this file? In other words is the process fuser is stat()ing files for a process you own? In your example the process ID is 27571 and 27590.

Can you re-run fuser on something and then type
ls -l /proc/<pid>/fd
So for your previous example it would be
ls -l /proc/27571/fd

Thanks,
Craig

[Craig Small]

The problem is that your setup is permitting an opendir() on the /proc/<pid>/fd directory but it doesn't permit a stat() on any of the files within that directory.

You need to decide, through SElinux policy, if at first a user should have access to these files and then depending on what your decision is:
a) Deny opendir() access to /proc/<PID>/fd
or
b) Allow stat() access to /proc/<PID>/fd/*

Case (a) is what happens if a normal user tries to look at another users process
Case (b) is for your own process

What was happening with your setup was a strange blend of the two and fuser was rightly confused.