1

I'm trying to run this simple program ls under strace and it wouldnt let me. Can you guys think of why this be the case?

[jeffjose@skipper ~]$ strace ls
strace: ptrace(PTRACE_TRACEME, ...): Permission denied

I'm on Fedora 17b, and my shell is tcsh. I can provide more info, if needed.

UPDATE: Christopher points out that there's a bug report on this. He also suggests me to tweak selinux or disable it. Is that the only way? What does this mean? What am I doing if I do that? Can someone elaborate and answer that? I'll chose that as the correct answer for my query. Thanks!

UPDATE2: I was doing some debugging using gdb and this came up again. Lucky for me, what needs to be done was clearly mentioned there. 

warning: the SELinux boolean 'deny_ptrace' is enabled, you can disable this process attach protection by: (gdb) shell sudo setsebool deny_ptrace=0

I was able to make strace run without any trouble. But what does this mean? What did I just do?

jeffjose
  • 121
  • 5
  • 1
    Googling 'ptrace(PTRACE_TRACEME, ...): Permission denied' found https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=786876 which specifically mentions Fedora 17. You should look at tweaking selinux, or disabling it. – becomingwisest Apr 30 '12 at 23:58
  • 1
    Hi @jeffjose, welcome to Serverfault. You will probably get better answers if you update your question to show that you did some research on your problem. If you research your question, and find a solution, please post it as an answer to your own question so that others may learn from your experience. – Stefan Lasiewski May 01 '12 at 00:20
  • Thanks Stefan. I did my bit of research, but didnt do an exact Google Search on the terms. Anyway, Christopher's answer helps, but not fully. I do not understand what's tweaking selinux or disabling it means. I'm still waiting for someone to answer me, even if that is 'Wont Fix, wait for the bug to be resolved'. Thanks for taking time out to reply. – jeffjose May 01 '12 at 13:17
  • I should also clarify that, I'm here to understand what's going on - not to simply fix this error and move on. I wanted to know what's going on here, why it is so in Fedora 17b etc etc. And this will serve as a good documentation for future references. - jeff – jeffjose May 01 '12 at 14:07

1 Answers1

3

SELINUX is (security enhanced linux ) for hardening servers, running it on your desktop is a little much.

However If you want to learn about selinux, a good method is to run it in permissive mode on your desktop machine.

I use a tool called setroubleshooter which sends me desktop notifications when one of selinux's policies has been violated. If the operation is legitimate, I can "generate a local policy module to allow this access"

For example today on my machine gnome3 violated selinux, but was not denied as I am in permissive mode. selinuxtroubleshooter provided this advice:

 You should report this as a bug.
 You can generate a local policy module to allow this access.
 Allow this access for now by executing:
 # grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol
 # semodule -i mypol.pp

these two commands allow you to check and set SELINUX

  $ getenforce 
  Permissive

  $ setenforce 
  usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]

Have fun.

foocorpluser
  • 448
  • 3
  • 7