selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: how to trace an avc denial

Re: how to trace an avc denial

From: Michal Svoboda <michal.svoboda_at_nospam>
Date: Sat Jan 30 2010 - 21:32:22 GMT
To: selinux <selinux@tycho.nsa.gov>


Stefan Schulze Frielinghaus wrote:
> What I would like to do is find out if pidgin itself is
> accessing /proc/1/exe or if it is a library. A simple
> "grep -R '/proc/' ./pidgin-source" does not provide any helpful output.
> My guess is that it is a leaked file descriptor because if I start
> pidgin from a shell, then I do not have this problem (I have a rule for
> user terminals and so on).

Maybe when not started from shell '1' is the PPID of the process and for some wicked reason it wants to interact with its parent.

Also, grepping for 'proc' might not yield the desired result. It's likely that the app calls a library which in turn does the heavy lifting.

> Sometimes I use strace, e.g. to find out that a library is doing a call
> I'm interested in but this time strace does not help me. So any
> comments/suggestions are very welcomed.

strace/ltrace should almost universally help, though sometimes you need extra privileges to maintain a ptrace() over process tree. When you're not starting from shell, strace the 'launcher' program, ie. the one that acts on the menu entry and/or hotkey you use to run it.

If the trace itself does not make the cause evident, it should at least help you narrow down the relevant parts of source code.

Michal Svoboda

-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.