help adding a type attribute to a domain

Maria Iano <maria@xxxxxxxx> · Fri, 11 Mar 2011 10:57:30 -0500

I'm getting a denial that audit2why says is due to constraints.  
Sesearch does show that the action has an allow rule.

Here are the audit messages:

host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):  
avc:  denied  { sigkill } for  pid=22927 comm="kill"  
scontext=system_u:system_r:rgmanager_t:s0  
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=eng-vocngcn03.eng.gci type=SYSCALL  
msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes  
exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927  
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0  
fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"  
subj=system_u:system_r:rgmanager_t:s0 key=(null)

Here is the result of running sesearch on that same server:

[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - 
c process -p sigkill
Found 1 av rules:
    allow rgmanager_t unconfined_t : process { sigchld sigkill };

Here is what audit2why says:

[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC  
msg=audit(1299844473.770:740848): avc:  denied  { sigkill } for   
pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0  
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process'  
| audit2why
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):  
avc:  denied  { sigkill } for  pid=22927 comm="kill"  
scontext=system_u:system_r:rgmanager_t:s0  
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
         Was caused by:
                 Constraint violation.
                 Check policy/constraints.
                 Typically, you just need to add a type attribute to  
the domain to satisfy the constraint.

This is a RHEL 5.5 server and it doesn't have the policy source and I  
don't see an rpm available with that. I can't find a constraints file,  
and I assume that's because it doesn't have the source. I'm trying to  
work out how to add the necessary type attribute to the domain. I do  
have a custom policy on the system. It's very long so I'll include the  
relevant pieces:

require {
         type rgmanager_t;
         type unconfined_t;
         class process { sigkill signal };
...<snip>...
}

allow rgmanager_t unconfined_t:process sigkill;
...<snip>...

Is there something I can add to my policy to resolve the constraints  
issue?

Thanks,
Maria
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux