On 04/17/2015 01:31 PM, Steve Huston wrote:
> I noticed that processes spawned via HTCondor are not visible to
> normal users of a system. The daemon that spawns the processes does
> so with the type condor_startd_t, and all children of those daemons
> inherit that type as well (visible with 'ps -efZ').
>
> My understanding of SELinux is very basic, and I'm sure I'm doing this
> wrong, so can someone help me with a policy here? My goal is to allow
> users of a machine to see if there's Condor processes running without
> having to guess based on the system load. What I have:
>
> cat user_condor_startd.te
> # Automatically generated by puppet, do not modify manually
> policy_module(user_condor_startd, 1.0)
> gen_require(`
> type user_t;
> type condor_startd_t;
> class file { ioctl read getattr lock open } ;
> class dir { ioctl read getattr lock search open } ;
> class lnk_file { read getattr } ;
>
> ')
>
> allow user_t condor_startd_t:file { ioctl read getattr lock open } ;
> allow user_t condor_startd_t:dir { ioctl read getattr lock search open } ;
> allow user_t condor_startd_t:lnk_file { read getattr } ;
>
> While this does appear to display the processes in the output of 'ps',
> the label is wrong:
> $ ps -efZ | egrep '(^LABEL|condor)'
> LABEL UID PID PPID C STIME TTY
> TIME CMD
> - condor 6760 6754 0 Apr13 ?
> 00:04:44 condor_startd -f
> user_u:user_r:user_t:s0 condor 22297 22295 0 13:18 ?
> 00:00:00 sshd: condor@pts/1
> user_u:user_r:user_t:s0 condor 22298 22297 0 13:18 pts/1
> 00:00:00 -bash
> user_u:user_r:user_t:s0 condor 22373 22298 0 13:26 pts/1
> 00:00:00 ps -efZ
> user_u:user_r:user_t:s0 condor 22374 22298 0 13:26 pts/1
> 00:00:00 egrep (^LABEL|condor)
>
> And I'm also not sure if this is A) the right way to do it, or 2)
> allowing more access to things than is necessary. I tried to base it
> off what user_t can see of type proc_t (according to 'sesearch -A -s
> user_t -t proc_t'), which in turn I guessed based on what I could see
> as a user with 'ls -lZ /proc/'
You also need allow user_t condor_startd_t:process getattr; to see the
process labels.
I doubt you need lock or ioctl permissions; they tend to get lumped in
together with read.
You could alternatively write your rules using macros from the
refpolicy, e.g.:
allow user_t condor_startd_t:file read_file_perms;
allow user_t condor_startd_t:dir list_dir_perms;
allow user_t condor_startd_t:lnk_file read_lnk_file_perms;
or even using a macro that captures all of these rules in one call, e.g.
ps_process_pattern(user_t, condor_startd_t)
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
