-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2011 12:48 PM, Dominick Grift wrote:
> On 03/11/2011 06:37 PM, Dominick Grift wrote:
>> On 03/11/2011 06:33 PM, Dominick Grift wrote:
>>> On 03/11/2011 06:30 PM, Maria Iano wrote:
>
>>>> On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> On 03/11/2011 11:48 AM, Dominick Grift wrote:
>>>>>> On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
>>>>>>> On 03/11/2011 10:57 AM, Maria Iano wrote:
>>>>>>>> I'm getting a denial that audit2why says is due to constraints.
>>>>>>>> Sesearch does show that the action has an allow rule.
>>>>>>
>>>>>>>> Here are the audit messages:
>>>>>>
>>>>>>>> host=eng-vocngcn03.eng.gci type=AVC
>>>>>>>> msg=audit(1299844473.770:740848):
>>>>>>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>>>>>>> tclass=process
>>>>>>
>>>>>>>> host=eng-vocngcn03.eng.gci type=SYSCALL
>>>>>>>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62
>>>>>>>> success=yes
>>>>>>>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>>>>>>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>>>>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>>>>>>>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>>>>>
>>>>>>> You have rgmanager sending a kill signal to a process running as
>>>>>>> unconfined_t
>>>>>>
>>>>>> There is no proof that its rgmanager doing that imho. Since
>>>>>> rgmanager_t
>>>>>> is an unconfined_domain it could be any generic application started
>>>>>> by a
>>>>>> process running in the rgmanager_t domain (eventually started by
>>>>>> rgmanager)
>>>>>>
>>>>>>> I would bet this process is running with the wrong domain. I don't
>>>>>>> think you want rgmanager_t sending kill signals to user processes.
>>>>>>
>>>>>>> What process was it trying to kill?
>>>>>>>> Here is the result of running sesearch on that same server:
>>>>>>
>>>>>>>> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t
>>>>>>>> unconfined_t -
>>>>>>>> c process -p sigkill
>>>>>>>> Found 1 av rules:
>>>>>>>> allow rgmanager_t unconfined_t : process { sigchld sigkill };
>>>>>>
>>>>>>>> Here is what audit2why says:
>>>>>>
>>>>>>>> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC
>>>>>>>> msg=audit(1299844473.770:740848): avc: denied { sigkill } for
>>>>>>>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0
>>>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>>>>>>> tclass=process'
>>>>>>>> | audit2why
>>>>>>>> host=eng-vocngcn03.eng.gci type=AVC
>>>>>>>> msg=audit(1299844473.770:740848):
>>>>>>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>>>>>>> tclass=process
>>>>>>>> Was caused by:
>>>>>>>> Constraint violation.
>>>>>>>> Check policy/constraints.
>>>>>>>> Typically, you just need to add a type attribute to
>>>>>>>> the domain to satisfy the constraint.
>>>>>>
>>>>>>>> This is a RHEL 5.5 server and it doesn't have the policy source
>>>>>>>> and I
>>>>>>>> don't see an rpm available with that. I can't find a constraints
>>>>>>>> file,
>>>>>>>> and I assume that's because it doesn't have the source. I'm
>>>>>>>> trying to
>>>>>>>> work out how to add the necessary type attribute to the domain. I
>>>>>>>> do
>>>>>>>> have a custom policy on the system. It's very long so I'll
>>>>>>>> include the
>>>>>>>> relevant pieces:
>>>>>>
>>>>>>>> require {
>>>>>>>> type rgmanager_t;
>>>>>>>> type unconfined_t;
>>>>>>>> class process { sigkill signal };
>>>>>>>> ..<snip>...
>>>>>>>> }
>>>>>>
>>>>>>>> allow rgmanager_t unconfined_t:process sigkill;
>>>>>>>> ..<snip>...
>>>>>>
>>>>>>>> Is there something I can add to my policy to resolve the
>>>>>>>> constraints
>>>>>>>> issue?
>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Maria
>>>>>>>> --
>>>>>>>> selinux mailing list
>>>>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Right although unconifned_t:s0-s0:c0.c1023 is almost assured a
>>>>> logged in
>>>>> user. It could have been a shell secript started via a remove ssh
>>>>> call
>>>>>
>>>>> If an init script had started an unconfined_exec_t executable it would
>>>>> probably run as s0.
>>>>>
>>>>> To solve the constraint you would need to add
>>>>>
>>>>> `mcs_killall(rgmanager_t)
>>>>>
>
>>>> Where do I add that line? I tried adding it to my te file but got an
>>>> error.
>
>>>> [root@eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/
>>>> ngiodb.mod /root/ngiodb.te
>>>> /usr/bin/checkmodule: loading policy configuration from /root/ngiodb.te
>>>> (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line
>>>> 111:
>>>> allow rgmanager_t unconfined_t:process sigkill;
>>>> mcs_killall(rgmanager_t);
>>>> /usr/bin/checkmodule: error(s) encountered while parsing configuration
>
>
>>> mcs_killall(rgmanager_t) (without the `)
>
>>> But try my solution first because this solution does not deal with the
>>> other sigchld issue.
>
>> actually now that i come to think of it this mcs_killall() may be your
>> best solution after all.
>
>> I could not confirm that rgmanager_t:s0 needs to sigchld
>> unconfined_t:s0-s0:c0.c1023 process. that was just a guess...
>
>> Still i would also try my solution in case it does need to send a child
>> died signal to unconfined_t:s0-s0:c0.1023
>
>
> Looks like dwalsh was right (mcs_killall(rgmanager_t) is the best solution.
>
> rgmanager_t probably wanted to send sigchld to self (rgmanager_t)
> probably was the script it was running.
>
> use mcs_killall(rgmanager_t) and ignore my solution of running rgmanager
> on s0 - mcs_systemhigh, it is too permissive.
>
>>>> --
>>>> selinux mailing list
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
- --
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
The lack of :s0 indicates they are running on a RHEL5 box
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk16hc8ACgkQrlYvE4MpobM6GwCfa05qTI/S+Uh6BlKhTrIDvWcc
MHAAoLrRPmV71F7ByBe6ZtE7PVB6Myag
=AD0c
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
