help adding a type attribute to a domain

Dominick Grift domg472 at gmail.com
Fri Mar 11 16:56:44 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/11/2011 05:54 PM, Dominick Grift wrote:
> On 03/11/2011 05:52 PM, Daniel J Walsh wrote:
>> On 03/11/2011 11:48 AM, Dominick Grift wrote:
>>> On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
>>>> On 03/11/2011 10:57 AM, Maria Iano wrote:
>>>>> I'm getting a denial that audit2why says is due to constraints.  
>>>>> Sesearch does show that the action has an allow rule.
> 
>>>>> Here are the audit messages:
> 
>>>>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):  
>>>>> avc:  denied  { sigkill } for  pid=22927 comm="kill"  
>>>>> scontext=system_u:system_r:rgmanager_t:s0  
>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
> 
>>>>> host=eng-vocngcn03.eng.gci type=SYSCALL  
>>>>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes  
>>>>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927  
>>>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0  
>>>>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"  
>>>>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
> 
>>>> You have rgmanager sending a kill signal to a process running as
>>>> unconfined_t
> 
>>> There is no proof that its rgmanager doing that imho. Since rgmanager_t
>>> is an unconfined_domain it could be any generic application started by a
>>> process running in the rgmanager_t domain (eventually started by rgmanager)
> 
>>>> I would bet this process is running with the wrong domain.  I don't
>>>> think you want rgmanager_t sending kill signals to user processes.
> 
>>>> What process was it trying to kill?
>>>>> Here is the result of running sesearch on that same server:
> 
>>>>> [root at eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - 
>>>>> c process -p sigkill
>>>>> Found 1 av rules:
>>>>>     allow rgmanager_t unconfined_t : process { sigchld sigkill };
> 
>>>>> Here is what audit2why says:
> 
>>>>> [root at eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC  
>>>>> msg=audit(1299844473.770:740848): avc:  denied  { sigkill } for   
>>>>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0  
>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process'  
>>>>> | audit2why
>>>>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):  
>>>>> avc:  denied  { sigkill } for  pid=22927 comm="kill"  
>>>>> scontext=system_u:system_r:rgmanager_t:s0  
>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>>>>          Was caused by:
>>>>>                  Constraint violation.
>>>>>                  Check policy/constraints.
>>>>>                  Typically, you just need to add a type attribute to  
>>>>> the domain to satisfy the constraint.
> 
>>>>> This is a RHEL 5.5 server and it doesn't have the policy source and I  
>>>>> don't see an rpm available with that. I can't find a constraints file,  
>>>>> and I assume that's because it doesn't have the source. I'm trying to  
>>>>> work out how to add the necessary type attribute to the domain. I do  
>>>>> have a custom policy on the system. It's very long so I'll include the  
>>>>> relevant pieces:
> 
>>>>> require {
>>>>>          type rgmanager_t;
>>>>>          type unconfined_t;
>>>>>          class process { sigkill signal };
>>>>> ..<snip>...
>>>>> }
> 
>>>>> allow rgmanager_t unconfined_t:process sigkill;
>>>>> ..<snip>...
> 
>>>>> Is there something I can add to my policy to resolve the constraints  
>>>>> issue?
> 
>>>>> Thanks,
>>>>> Maria
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> 
> 
>> Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in
>> user.  It could have been a shell secript started via a remove ssh call
> 
>> If an init script had started an unconfined_exec_t executable it would
>> probably run as s0.
> 
>> To solve the constraint you would need to add
> 
>> `mcs_killall(rgmanager_t)
> 
> Nope its started by that script (note the sigchld as well)
> There is no way to deal with that constraint unless you allow
> rgmanager_t to run the script with a domain plus range transition.

rgmanager -> ... -> "the script" -> ssh login
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk16VEwACgkQMlxVo39jgT8RdgCfRcJDqKK06XdaOI2Sj5qGQX7s
6fYAoK467fdTdsSZQyFZpgrCttAN0Xqb
=kL4Z
-----END PGP SIGNATURE-----

More information about the selinux mailing list