On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
> On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
>> On 03/11/2011 10:57 AM, Maria Iano wrote:
>>> I'm getting a denial that audit2why says is due to constraints.
>>> Sesearch does show that the action has an allow rule.
>
>>> Here are the audit messages:
>
>>> host=eng-vocngcn03.eng.gci type=AVC
>>> msg=audit(1299844473.770:740848):
>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>> scontext=system_u:system_r:rgmanager_t:s0
>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>> tclass=process
>
>>> host=eng-vocngcn03.eng.gci type=SYSCALL
>>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62
>>> success=yes
>>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=(none) ses=4294967295 comm="kill"
exe="/bin/kill"
>>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>
>> You have rgmanager sending a kill signal to a process running as
>> unconfined_t
>
> There is no proof that its rgmanager doing that imho. Since
> rgmanager_t
> is an unconfined_domain it could be any generic application started
> by a
> process running in the rgmanager_t domain (eventually started by
> rgmanager)
>
>> I would bet this process is running with the wrong domain. I don't
>> think you want rgmanager_t sending kill signals to user processes.
>
>> What process was it trying to kill?
>>> Here is the result of running sesearch on that same server:
>
>>> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t
>>> unconfined_t -
>>> c process -p sigkill
>>> Found 1 av rules:
>>> allow rgmanager_t unconfined_t : process { sigchld sigkill };
>
>>> Here is what audit2why says:
>
>>> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC
>>> msg=audit(1299844473.770:740848): avc: denied { sigkill } for
>>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0
>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>> tclass=process'
>>> | audit2why
>>> host=eng-vocngcn03.eng.gci type=AVC
>>> msg=audit(1299844473.770:740848):
>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>> scontext=system_u:system_r:rgmanager_t:s0
>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>> tclass=process
>>> Was caused by:
>>> Constraint violation.
>>> Check policy/constraints.
>>> Typically, you just need to add a type attribute to
>>> the domain to satisfy the constraint.
>
>>> This is a RHEL 5.5 server and it doesn't have the policy source
>>> and I
>>> don't see an rpm available with that. I can't find a constraints
>>> file,
>>> and I assume that's because it doesn't have the source. I'm
>>> trying to
>>> work out how to add the necessary type attribute to the domain. I
>>> do
>>> have a custom policy on the system. It's very long so I'll
>>> include the
>>> relevant pieces:
>
>>> require {
>>> type rgmanager_t;
>>> type unconfined_t;
>>> class process { sigkill signal };
>>> ..<snip>...
>>> }
>
>>> allow rgmanager_t unconfined_t:process sigkill;
>>> ..<snip>...
>
>>> Is there something I can add to my policy to resolve the
>>> constraints
>>> issue?
>
>>> Thanks,
>>> Maria
>
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a
logged in
user. It could have been a shell secript started via a remove ssh
call
If an init script had started an unconfined_exec_t executable it would
probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
That worked - thank you so much!
Maria