-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
> I'm getting a denial that audit2why says is due to constraints.
> Sesearch does show that the action has an allow rule.
>
> Here are the audit messages:
>
> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
> avc: denied { sigkill } for pid=22927 comm="kill"
> scontext=system_u:system_r:rgmanager_t:s0
> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>
> host=eng-vocngcn03.eng.gci type=SYSCALL
> msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes
> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>
> Here is the result of running sesearch on that same server:
>
> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t -
> c process -p sigkill
> Found 1 av rules:
> allow rgmanager_t unconfined_t : process { sigchld sigkill };
looks likke some proces running in the rgmanager domain ran a executable
file that was labelled unconfined_exec_t and the rgmanager_t domain
transitioned to unconfined_t. However i cannot find a rule allowing this
transition in short notice.
So how it managed to transition to unconfined_t is beyond me. Have you
implemented custom policy?
> Here is what audit2why says:
>
> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC
> msg=audit(1299844473.770:740848): avc: denied { sigkill } for
> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0
> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process'
> | audit2why
> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
> avc: denied { sigkill } for pid=22927 comm="kill"
> scontext=system_u:system_r:rgmanager_t:s0
> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> Was caused by:
> Constraint violation.
> Check policy/constraints.
> Typically, you just need to add a type attribute to
> the domain to satisfy the constraint.
>
> This is a RHEL 5.5 server and it doesn't have the policy source and I
> don't see an rpm available with that. I can't find a constraints file,
> and I assume that's because it doesn't have the source. I'm trying to
> work out how to add the necessary type attribute to the domain. I do
> have a custom policy on the system. It's very long so I'll include the
> relevant pieces:
>
> require {
> type rgmanager_t;
> type unconfined_t;
> class process { sigkill signal };
> ...<snip>...
> }
>
> allow rgmanager_t unconfined_t:process sigkill;
> ...<snip>...
>
> Is there something I can add to my policy to resolve the constraints
> issue?
>
> Thanks,
> Maria
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk16SWEACgkQMlxVo39jgT/W+QCgumRgi0jTX276zKg68Us3rOa5
CfIAoL5VntJvCBSvy0U7M0UOjeLsxua/
=bYn5
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
