Hi,
the startup script of Open SSH server on the Debian Sid adjusts the OOM
killer to not kill sshd in the condition of OOM. It simply does
printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
BTW: I am not certain if this do exactly what was intended, because this
parameter is inherited by all child processes, as one can see using
attached simple script.
Nevertheless I don't know how to enable such write under SE Linux. It
triggers:
[ 66.417499] type=1400 audit(1209737438.955:6): avc: denied { write
} for pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
context=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
I wrote attached patch, but the denial still appears.
sid:~# sesearch --allow -s initrc_t -t sshd_t -c file
WARNING: This policy contained disabled aliases; they have been removed.
Found 3 semantic av rules:
allow @ttr1634 @ttr2356 : file { ioctl read getattr lock };
allow initrc_t sshd_t : file { ioctl write getattr lock append };
allow initrc_t @ttr2356 : file { ioctl read getattr lock };
sid:~# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 22
Policy from config file: refpolicy
sid:~# uname -a
Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
What am I doing wrong please?
Best Regards
--
Zito
#!/bin/bash
ps axf|perl -lpe '
my $adj = "";
if (m/^\s*(\d+)/) {
if ( open(my $fh, "<", "/proc/$1/oom_adj") ) {
$adj = <$fh>;
chomp $adj;
close($fh);
}
} else {
$adj = "OMA";
}
$_ = sprintf("%3s %s", $adj, $_);
'
---
policy/modules/services/ssh.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 21 insertions(+)
Index: refpolicy-svn/policy/modules/services/ssh.if
===================================================================
--- refpolicy-svn.orig/policy/modules/services/ssh.if 2008-05-02 14:36:38.000000000 +0200
+++ refpolicy-svn/policy/modules/services/ssh.if 2008-05-02 14:37:51.000000000 +0200
@@ -626,6 +626,25 @@
########################################
## <summary>
+## Allow to write to files of ssh server under /proc
+## primarily to adjust the OOM killer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`ssh_proc_write',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:file write_file_perms;
+')
+
+########################################
+## <summary>
## Connect to SSH daemons over TCP sockets. (Deprecated)
## </summary>
## <param name="domain">
Index: refpolicy-svn/policy/modules/system/init.te
===================================================================
--- refpolicy-svn.orig/policy/modules/system/init.te 2008-05-02 14:36:43.000000000 +0200
+++ refpolicy-svn/policy/modules/system/init.te 2008-05-02 14:36:43.000000000 +0200
@@ -743,6 +743,8 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
+# Debian startup script adjusts OOM killer to not kill sshd.
+ ssh_proc_write(initrc_t)
')
optional_policy(`
