On Mar 11, 2011, at 11:03 AM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/11/2011 04:57 PM, Maria Iano wrote:
>> I'm getting a denial that audit2why says is due to constraints.
>> Sesearch does show that the action has an allow rule.
>>
>> Here are the audit messages:
>>
>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
>> avc: denied { sigkill } for pid=22927 comm="kill"
>> scontext=system_u:system_r:rgmanager_t:s0
>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>
>> host=eng-vocngcn03.eng.gci type=SYSCALL
>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62
>> success=yes
>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>
>> Here is the result of running sesearch on that same server:
>>
>> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t
>> unconfined_t -
>> c process -p sigkill
>> Found 1 av rules:
>> allow rgmanager_t unconfined_t : process { sigchld sigkill };
>>
>> Here is what audit2why says:
>>
>> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC
>> msg=audit(1299844473.770:740848): avc: denied { sigkill } for
>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0
>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>> tclass=process'
>> | audit2why
>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
>> avc: denied { sigkill } for pid=22927 comm="kill"
>> scontext=system_u:system_r:rgmanager_t:s0
>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>> Was caused by:
>> Constraint violation.
>> Check policy/constraints.
>> Typically, you just need to add a type attribute to
>> the domain to satisfy the constraint.
>>
>> This is a RHEL 5.5 server and it doesn't have the policy source and I
>> don't see an rpm available with that. I can't find a constraints
>> file,
>> and I assume that's because it doesn't have the source. I'm trying to
>> work out how to add the necessary type attribute to the domain. I do
>> have a custom policy on the system. It's very long so I'll include
>> the
>> relevant pieces:
>>
>> require {
>> type rgmanager_t;
>> type unconfined_t;
>> class process { sigkill signal };
>> ...<snip>...
>> }
>>
>> allow rgmanager_t unconfined_t:process sigkill;
>> ...<snip>...
>>
>> Is there something I can add to my policy to resolve the constraints
>> issue?
>
> What is that process running in the unconfined_t domain?
> What is your distro?
> Looks to be an mcs constrained.
>
It looks as though what is happening is that some code (from a vendor)
logs in over ssh and that ssh session has context unconfined_t. The
sigkill avc messages fall on the heels of the ssh session logging out.
I don't know what that code does while it's logged in. I have
forwarded a request to find that out on to someone who is in a
position to contact the vendor and ask. I haven't heard back yet.
Thanks,
Maria
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
