help adding a type attribute to a domain

Dominick Grift domg472 at gmail.com
Fri Mar 11 17:37:38 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/11/2011 06:33 PM, Dominick Grift wrote:
> On 03/11/2011 06:30 PM, Maria Iano wrote:
> 
>> On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
> 
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 03/11/2011 11:48 AM, Dominick Grift wrote:
>>>> On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
>>>>> On 03/11/2011 10:57 AM, Maria Iano wrote:
>>>>>> I'm getting a denial that audit2why says is due to constraints.
>>>>>> Sesearch does show that the action has an allow rule.
>>>>
>>>>>> Here are the audit messages:
>>>>
>>>>>> host=eng-vocngcn03.eng.gci type=AVC  
>>>>>> msg=audit(1299844473.770:740848):
>>>>>> avc:  denied  { sigkill } for  pid=22927 comm="kill"
>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023  
>>>>>> tclass=process
>>>>
>>>>>> host=eng-vocngcn03.eng.gci type=SYSCALL
>>>>>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62  
>>>>>> success=yes
>>>>>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>>>>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>>>>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>>>>>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>>>
>>>>> You have rgmanager sending a kill signal to a process running as
>>>>> unconfined_t
>>>>
>>>> There is no proof that its rgmanager doing that imho. Since  
>>>> rgmanager_t
>>>> is an unconfined_domain it could be any generic application started  
>>>> by a
>>>> process running in the rgmanager_t domain (eventually started by  
>>>> rgmanager)
>>>>
>>>>> I would bet this process is running with the wrong domain.  I don't
>>>>> think you want rgmanager_t sending kill signals to user processes.
>>>>
>>>>> What process was it trying to kill?
>>>>>> Here is the result of running sesearch on that same server:
>>>>
>>>>>> [root at eng-vocngcn03]# sesearch --allow -s rgmanager_t -t  
>>>>>> unconfined_t -
>>>>>> c process -p sigkill
>>>>>> Found 1 av rules:
>>>>>>    allow rgmanager_t unconfined_t : process { sigchld sigkill };
>>>>
>>>>>> Here is what audit2why says:
>>>>
>>>>>> [root at eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC
>>>>>> msg=audit(1299844473.770:740848): avc:  denied  { sigkill } for
>>>>>> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023  
>>>>>> tclass=process'
>>>>>> | audit2why
>>>>>> host=eng-vocngcn03.eng.gci type=AVC  
>>>>>> msg=audit(1299844473.770:740848):
>>>>>> avc:  denied  { sigkill } for  pid=22927 comm="kill"
>>>>>> scontext=system_u:system_r:rgmanager_t:s0
>>>>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023  
>>>>>> tclass=process
>>>>>>         Was caused by:
>>>>>>                 Constraint violation.
>>>>>>                 Check policy/constraints.
>>>>>>                 Typically, you just need to add a type attribute to
>>>>>> the domain to satisfy the constraint.
>>>>
>>>>>> This is a RHEL 5.5 server and it doesn't have the policy source  
>>>>>> and I
>>>>>> don't see an rpm available with that. I can't find a constraints  
>>>>>> file,
>>>>>> and I assume that's because it doesn't have the source. I'm  
>>>>>> trying to
>>>>>> work out how to add the necessary type attribute to the domain. I  
>>>>>> do
>>>>>> have a custom policy on the system. It's very long so I'll  
>>>>>> include the
>>>>>> relevant pieces:
>>>>
>>>>>> require {
>>>>>>         type rgmanager_t;
>>>>>>         type unconfined_t;
>>>>>>         class process { sigkill signal };
>>>>>> ..<snip>...
>>>>>> }
>>>>
>>>>>> allow rgmanager_t unconfined_t:process sigkill;
>>>>>> ..<snip>...
>>>>
>>>>>> Is there something I can add to my policy to resolve the  
>>>>>> constraints
>>>>>> issue?
>>>>
>>>>>> Thanks,
>>>>>> Maria
>>>>>> --
>>>>>> selinux mailing list
>>>>>> selinux at lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>>
>>>
>>> Right although unconifned_t:s0-s0:c0.c1023 is almost assured a  
>>> logged in
>>> user.  It could have been a shell secript started via a remove ssh  
>>> call
>>>
>>> If an init script had started an unconfined_exec_t executable it would
>>> probably run as s0.
>>>
>>> To solve the constraint you would need to add
>>>
>>> `mcs_killall(rgmanager_t)
>>>
> 
>> Where do I add that line? I tried adding it to my te file but got an  
>> error.
> 
>> [root at eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/ 
>> ngiodb.mod /root/ngiodb.te
>> /usr/bin/checkmodule:  loading policy configuration from /root/ngiodb.te
>> (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line  
>> 111:
>> allow rgmanager_t unconfined_t:process sigkill;
>> mcs_killall(rgmanager_t);
>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> 
> 
> mcs_killall(rgmanager_t) (without the `)
> 
> But try my solution first because this solution does not deal with the
> other sigchld issue.

actually now that i come to think of it this mcs_killall() may be your
best solution after all.

I could not confirm that rgmanager_t:s0 needs to sigchld
unconfined_t:s0-s0:c0.c1023 process. that was just a guess...

Still i would also try my solution in case it does need to send a child
died signal to unconfined_t:s0-s0:c0.1023

>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk16XeIACgkQMlxVo39jgT+BugCg1VMBzFkbKnTgdWQ24krxtd4F
vc0AnjfdTzT0d1ld44z6mLVx5vLl0+X5
=tCug
-----END PGP SIGNATURE-----

More information about the selinux mailing list