-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:22 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:03 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
What is that process running in the unconfined_t domain? What is your distro? Looks to be an mcs constrained.
It looks as though what is happening is that some code (from a vendor) logs in over ssh and that ssh session has context unconfined_t. The sigkill avc messages fall on the heels of the ssh session logging out. I don't know what that code does while it's logged in. I have forwarded a request to find that out on to someone who is in a position to contact the vendor and ask. I haven't heard back yet.
I suspect you are running some third party application that was started by eventually rgmanager. The fix in my view would probably be to confined whatever application that is and to run it at s0-s0:c0:c0123 instead of s0.
What application is it?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux