On Fri, May 02, 2008 at 11:07:01AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Václav Ovsík wrote:
> > Hi,
> > the startup script of Open SSH server on the Debian Sid adjusts the OOM
> > killer to not kill sshd in the condition of OOM. It simply does
> >
> > printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
> >
> > BTW: I am not certain if this do exactly what was intended, because this
> > parameter is inherited by all child processes, as one can see using
> > attached simple script.
> >
> > Nevertheless I don't know how to enable such write under SE Linux. It
> > triggers:
> >
> > [ 66.417499] type=1400 audit(1209737438.955:6): avc: denied { write
> > } for pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
> > context=system_u:system_r:initrc_t:s0
> > tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
> >
> > I wrote attached patch, but the denial still appears.
> >
> > sid:~# sesearch --allow -s initrc_t -t sshd_t -c file
> > WARNING: This policy contained disabled aliases; they have been removed.
> > Found 3 semantic av rules:
> > allow @ttr1634 @ttr2356 : file { ioctl read getattr lock };
> > allow initrc_t sshd_t : file { ioctl write getattr lock append };
> > allow initrc_t @ttr2356 : file { ioctl read getattr lock };
> >
> > sid:~# sestatus
> > SELinux status: enabled
> > SELinuxfs mount: /selinux
> > Current mode: permissive
> > Mode from config file: permissive
> > Policy version: 22
> > Policy from config file: refpolicy
> > sid:~# uname -a
> > Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
> >
> > What am I doing wrong please?
> > Best Regards
> >
> Run the avc messages through audit2why
Great, I got:
[ 19.816342] type=1400 audit(1209977556.108:5): avc: denied { write } for pid=1466 comm="S16ssh" name="oom_adj" dev=proc ino=5408 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
I expected problems to enable such thing (to write to file with context
of domain). Constraints in policy/constraints etc are rather complex.
Now I am going in the way of the least friction :) - to fill bugreport
against openssh-server with a patch, that will do OOM adjustment in the
C-code by sshd itself (like udev does).
IMO to write into /proc/N/oom_adj can be need by administrator
sometimes, so there should be some role capable to write there.
Thanks
--
Zito
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
