-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2011 06:33 PM, Dominick Grift wrote:
> On 03/11/2011 06:30 PM, Maria Iano wrote:
>
>> On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 03/11/2011 11:48 AM, Dominick Grift wrote:
>>>> On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
>>>>> On 03/11/2011 10:57 AM, Maria Iano wrote:
>>>>>> I'm getting a denial that audit2why says is due to constraints.
>>>>>> Sesearch does show that the action has an allow rule.
>>>>
>>>>>> Here are the audit messages:
>>>>
>>>>>> host=eng-vocngcn03.eng.gci type=AVC
>>>>>> msg=audit(1299844473.770:740848):
>>>>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>>>>> tclass=process
>>>>
>>>>>> host=eng-vocngcn03.eng.gci type=SYSCALL
>>>>>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62
>>>>>> success=yes
>>>>>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>>>>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>>>>>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>>>
>>>>> You have rgmanager sending a kill signal to a process running as
>>>>> unconfined_t
>>>>
>>>> There is no proof that its rgmanager doing that imho. Since
>>>> rgmanager_t
>>>> is an unconfined_domain it could be any generic application started
>>>> by a
>>>> process running in the rgmanager_t domain (eventually started by
>>>> rgmanager)
>>>>
>>>>> I would bet this process is running with the wrong domain. I don't
>>>>> think you want rgmanager_t sending kill signals to user processes.
>>>>
>>>>> What process was it trying to kill?
>>>>>> Here is the result of running sesearch on that same server:
>>>>
>>>>>> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t
>>>>>> unconfined_t -
>>>>>> c process -p sigkill
>>>>>> Found 1 av rules:
>>>>>> allow rgmanager_t unconfined_t : process { sigchld sigkill };
>>>>
>>>>>> Here is what audit2why says:
>>>>
>>>>>> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC
>>>>>> msg=audit(1299844473.770:740848): avc: denied { sigkill } for
>>>>>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>>>>> tclass=process'
>>>>>> | audit2why
>>>>>> host=eng-vocngcn03.eng.gci type=AVC
>>>>>> msg=audit(1299844473.770:740848):
>>>>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>>>>> tclass=process
>>>>>> Was caused by:
>>>>>> Constraint violation.
>>>>>> Check policy/constraints.
>>>>>> Typically, you just need to add a type attribute to
>>>>>> the domain to satisfy the constraint.
>>>>
>>>>>> This is a RHEL 5.5 server and it doesn't have the policy source
>>>>>> and I
>>>>>> don't see an rpm available with that. I can't find a constraints
>>>>>> file,
>>>>>> and I assume that's because it doesn't have the source. I'm
>>>>>> trying to
>>>>>> work out how to add the necessary type attribute to the domain. I
>>>>>> do
>>>>>> have a custom policy on the system. It's very long so I'll
>>>>>> include the
>>>>>> relevant pieces:
>>>>
>>>>>> require {
>>>>>> type rgmanager_t;
>>>>>> type unconfined_t;
>>>>>> class process { sigkill signal };
>>>>>> ..<snip>...
>>>>>> }
>>>>
>>>>>> allow rgmanager_t unconfined_t:process sigkill;
>>>>>> ..<snip>...
>>>>
>>>>>> Is there something I can add to my policy to resolve the
>>>>>> constraints
>>>>>> issue?
>>>>
>>>>>> Thanks,
>>>>>> Maria
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>>
>>>
>>> Right although unconifned_t:s0-s0:c0.c1023 is almost assured a
>>> logged in
>>> user. It could have been a shell secript started via a remove ssh
>>> call
>>>
>>> If an init script had started an unconfined_exec_t executable it would
>>> probably run as s0.
>>>
>>> To solve the constraint you would need to add
>>>
>>> `mcs_killall(rgmanager_t)
>>>
>
>> Where do I add that line? I tried adding it to my te file but got an
>> error.
>
>> [root@eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/
>> ngiodb.mod /root/ngiodb.te
>> /usr/bin/checkmodule: loading policy configuration from /root/ngiodb.te
>> (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line
>> 111:
>> allow rgmanager_t unconfined_t:process sigkill;
>> mcs_killall(rgmanager_t);
>> /usr/bin/checkmodule: error(s) encountered while parsing configuration
>
>
> mcs_killall(rgmanager_t) (without the `)
>
> But try my solution first because this solution does not deal with the
> other sigchld issue.
actually now that i come to think of it this mcs_killall() may be your
best solution after all.
I could not confirm that rgmanager_t:s0 needs to sigchld
unconfined_t:s0-s0:c0.c1023 process. that was just a guess...
Still i would also try my solution in case it does need to send a child
died signal to unconfined_t:s0-s0:c0.1023
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk16XeIACgkQMlxVo39jgT+BugCg1VMBzFkbKnTgdWQ24krxtd4F
vc0AnjfdTzT0d1ld44z6mLVx5vLl0+X5
=tCug
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
