On Mar 11, 2011, at 12:09 PM, Miroslav Grepl wrote:
On 03/11/2011 04:03 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
What is that process running in the unconfined_t domain? What is your distro? Looks to be an mcs constrained.
What were you doing with rgmanager when this happened?
From the logs it looks as though an automated process logged in over ssh and did something but I don't know what the process does. I'm trying to find out but the vendor is overseas so I don't know how soon I'll hear back.