-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2011 05:56 PM, Dominick Grift wrote:
> On 03/11/2011 05:54 PM, Dominick Grift wrote:
>> On 03/11/2011 05:52 PM, Daniel J Walsh wrote:
>>> On 03/11/2011 11:48 AM, Dominick Grift wrote:
>>>> On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
>>>>> On 03/11/2011 10:57 AM, Maria Iano wrote:
>>>>>> I'm getting a denial that audit2why says is due to constraints.
>>>>>> Sesearch does show that the action has an allow rule.
>
>>>>>> Here are the audit messages:
>
>>>>>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
>>>>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>
>>>>>> host=eng-vocngcn03.eng.gci type=SYSCALL
>>>>>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes
>>>>>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>>>>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>>>>>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>
>>>>> You have rgmanager sending a kill signal to a process running as
>>>>> unconfined_t
>
>>>> There is no proof that its rgmanager doing that imho. Since rgmanager_t
>>>> is an unconfined_domain it could be any generic application started by a
>>>> process running in the rgmanager_t domain (eventually started by rgmanager)
>
>>>>> I would bet this process is running with the wrong domain. I don't
>>>>> think you want rgmanager_t sending kill signals to user processes.
>
>>>>> What process was it trying to kill?
>>>>>> Here is the result of running sesearch on that same server:
>
>>>>>> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t -
>>>>>> c process -p sigkill
>>>>>> Found 1 av rules:
>>>>>> allow rgmanager_t unconfined_t : process { sigchld sigkill };
>
>>>>>> Here is what audit2why says:
>
>>>>>> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC
>>>>>> msg=audit(1299844473.770:740848): avc: denied { sigkill } for
>>>>>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process'
>>>>>> | audit2why
>>>>>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
>>>>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>>>>> Was caused by:
>>>>>> Constraint violation.
>>>>>> Check policy/constraints.
>>>>>> Typically, you just need to add a type attribute to
>>>>>> the domain to satisfy the constraint.
>
>>>>>> This is a RHEL 5.5 server and it doesn't have the policy source and I
>>>>>> don't see an rpm available with that. I can't find a constraints file,
>>>>>> and I assume that's because it doesn't have the source. I'm trying to
>>>>>> work out how to add the necessary type attribute to the domain. I do
>>>>>> have a custom policy on the system. It's very long so I'll include the
>>>>>> relevant pieces:
>
>>>>>> require {
>>>>>> type rgmanager_t;
>>>>>> type unconfined_t;
>>>>>> class process { sigkill signal };
>>>>>> ..<snip>...
>>>>>> }
>
>>>>>> allow rgmanager_t unconfined_t:process sigkill;
>>>>>> ..<snip>...
>
>>>>>> Is there something I can add to my policy to resolve the constraints
>>>>>> issue?
>
>>>>>> Thanks,
>>>>>> Maria
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
>
>>> Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in
>>> user. It could have been a shell secript started via a remove ssh call
>
>>> If an init script had started an unconfined_exec_t executable it would
>>> probably run as s0.
>
>>> To solve the constraint you would need to add
>
>>> `mcs_killall(rgmanager_t)
>
>> Nope its started by that script (note the sigchld as well)
>> There is no way to deal with that constraint unless you allow
>> rgmanager_t to run the script with a domain plus range transition.
either that or run rgmanager_t on s0 - mcs_systemhigh
>
> rgmanager -> ... -> "the script" -> ssh login
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk16VVYACgkQMlxVo39jgT+djACfYHxVqkbFQclrHaxJ+Yfnoyi8
ZCoAn3Q2Uvw0SmRf9KUlulojgQsu1Qo3
=g32m
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
