-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/11/2011 05:22 PM, Maria Iano wrote: > > On Mar 11, 2011, at 11:03 AM, Dominick Grift wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 03/11/2011 04:57 PM, Maria Iano wrote: >>> I'm getting a denial that audit2why says is due to constraints. >>> Sesearch does show that the action has an allow rule. >>> >>> Here are the audit messages: >>> >>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): >>> avc: denied { sigkill } for pid=22927 comm="kill" >>> scontext=system_u:system_r:rgmanager_t:s0 >>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process >>> >>> host=eng-vocngcn03.eng.gci type=SYSCALL >>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62 >>> success=yes >>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 >>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" >>> subj=system_u:system_r:rgmanager_t:s0 key=(null) >>> >>> Here is the result of running sesearch on that same server: >>> >>> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t >>> unconfined_t - >>> c process -p sigkill >>> Found 1 av rules: >>> allow rgmanager_t unconfined_t : process { sigchld sigkill }; >>> >>> Here is what audit2why says: >>> >>> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC >>> msg=audit(1299844473.770:740848): avc: denied { sigkill } for >>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 >>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 >>> tclass=process' >>> | audit2why >>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): >>> avc: denied { sigkill } for pid=22927 comm="kill" >>> scontext=system_u:system_r:rgmanager_t:s0 >>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process >>> Was caused by: >>> Constraint violation. >>> Check policy/constraints. >>> Typically, you just need to add a type attribute to >>> the domain to satisfy the constraint. >>> >>> This is a RHEL 5.5 server and it doesn't have the policy source and I >>> don't see an rpm available with that. I can't find a constraints >>> file, >>> and I assume that's because it doesn't have the source. I'm trying to >>> work out how to add the necessary type attribute to the domain. I do >>> have a custom policy on the system. It's very long so I'll include >>> the >>> relevant pieces: >>> >>> require { >>> type rgmanager_t; >>> type unconfined_t; >>> class process { sigkill signal }; >>> ...<snip>... >>> } >>> >>> allow rgmanager_t unconfined_t:process sigkill; >>> ...<snip>... >>> >>> Is there something I can add to my policy to resolve the constraints >>> issue? >> >> What is that process running in the unconfined_t domain? >> What is your distro? >> Looks to be an mcs constrained. >> > > It looks as though what is happening is that some code (from a vendor) > logs in over ssh and that ssh session has context unconfined_t. The > sigkill avc messages fall on the heels of the ssh session logging out. > I don't know what that code does while it's logged in. I have > forwarded a request to find that out on to someone who is in a > position to contact the vendor and ask. I haven't heard back yet. I suspect you are running some third party application that was started by eventually rgmanager. The fix in my view would probably be to confined whatever application that is and to run it at s0-s0:c0:c0123 instead of s0. What application is it? > Thanks, > Maria > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk16TsgACgkQMlxVo39jgT+L6QCgt+hm+nF9GaFIl5zi0Lf0BFYU Jz8An1j4c11RYermlSdRL9jZsPwxdrXL =3vF+ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux