I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
What is that process running in the unconfined_t domain? What is your distro? Looks to be an mcs constrained.
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Mar 11, 2011, at 11:03 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
What is that process running in the unconfined_t domain? What is your distro? Looks to be an mcs constrained.
It looks as though what is happening is that some code (from a vendor) logs in over ssh and that ssh session has context unconfined_t. The sigkill avc messages fall on the heels of the ssh session logging out. I don't know what that code does while it's logged in. I have forwarded a request to find that out on to someone who is in a position to contact the vendor and ask. I haven't heard back yet.
Thanks, Maria
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:22 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:03 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
What is that process running in the unconfined_t domain? What is your distro? Looks to be an mcs constrained.
It looks as though what is happening is that some code (from a vendor) logs in over ssh and that ssh session has context unconfined_t. The sigkill avc messages fall on the heels of the ssh session logging out. I don't know what that code does while it's logged in. I have forwarded a request to find that out on to someone who is in a position to contact the vendor and ask. I haven't heard back yet.
I suspect you are running some third party application that was started by eventually rgmanager. The fix in my view would probably be to confined whatever application that is and to run it at s0-s0:c0:c0123 instead of s0.
What application is it?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 03/11/2011 04:03 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
What is that process running in the unconfined_t domain? What is your distro? Looks to be an mcs constrained.
What were you doing with rgmanager when this happened?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk16R9EACgkQMlxVo39jgT/ocACgw+ekhwxlSEJ3kebVs+ZIYidO nIwAn2V7b61RtrG3L5G8t7t3eApFVARH =R30c
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Mar 11, 2011, at 12:09 PM, Miroslav Grepl wrote:
On 03/11/2011 04:03 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
What is that process running in the unconfined_t domain? What is your distro? Looks to be an mcs constrained.
What were you doing with rgmanager when this happened?
From the logs it looks as though an automated process logged in over ssh and did something but I don't know what the process does. I'm trying to find out but the vendor is overseas so I don't know how soon I'll hear back.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 04:57 PM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
looks likke some proces running in the rgmanager domain ran a executable file that was labelled unconfined_exec_t and the rgmanager_t domain transitioned to unconfined_t. However i cannot find a rule allowing this transition in short notice.
So how it managed to transition to unconfined_t is beyond me. Have you implemented custom policy?
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ...<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ...<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:52 PM, Daniel J Walsh wrote:
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Nope its started by that script (note the sigchld as well) There is no way to deal with that constraint unless you allow rgmanager_t to run the script with a domain plus range transition.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:54 PM, Dominick Grift wrote:
On 03/11/2011 05:52 PM, Daniel J Walsh wrote:
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Nope its started by that script (note the sigchld as well) There is no way to deal with that constraint unless you allow rgmanager_t to run the script with a domain plus range transition.
rgmanager -> ... -> "the script" -> ssh login
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:56 PM, Dominick Grift wrote:
On 03/11/2011 05:54 PM, Dominick Grift wrote:
On 03/11/2011 05:52 PM, Daniel J Walsh wrote:
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Nope its started by that script (note the sigchld as well) There is no way to deal with that constraint unless you allow rgmanager_t to run the script with a domain plus range transition.
either that or run rgmanager_t on s0 - mcs_systemhigh
rgmanager -> ... -> "the script" -> ssh login
On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Where do I add that line? I tried adding it to my te file but got an error.
[root@eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/ ngiodb.mod /root/ngiodb.te /usr/bin/checkmodule: loading policy configuration from /root/ngiodb.te (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line 111: allow rgmanager_t unconfined_t:process sigkill; mcs_killall(rgmanager_t); /usr/bin/checkmodule: error(s) encountered while parsing configuration
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:30 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Where do I add that line? I tried adding it to my te file but got an error.
[root@eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/ ngiodb.mod /root/ngiodb.te /usr/bin/checkmodule: loading policy configuration from /root/ngiodb.te (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line 111: allow rgmanager_t unconfined_t:process sigkill; mcs_killall(rgmanager_t); /usr/bin/checkmodule: error(s) encountered while parsing configuration
mcs_killall(rgmanager_t) (without the `)
But try my solution first because this solution does not deal with the other sigchld issue.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:33 PM, Dominick Grift wrote:
On 03/11/2011 06:30 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Where do I add that line? I tried adding it to my te file but got an error.
[root@eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/ ngiodb.mod /root/ngiodb.te /usr/bin/checkmodule: loading policy configuration from /root/ngiodb.te (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line 111: allow rgmanager_t unconfined_t:process sigkill; mcs_killall(rgmanager_t); /usr/bin/checkmodule: error(s) encountered while parsing configuration
mcs_killall(rgmanager_t) (without the `)
But try my solution first because this solution does not deal with the other sigchld issue.
actually now that i come to think of it this mcs_killall() may be your best solution after all.
I could not confirm that rgmanager_t:s0 needs to sigchld unconfined_t:s0-s0:c0.c1023 process. that was just a guess...
Still i would also try my solution in case it does need to send a child died signal to unconfined_t:s0-s0:c0.1023
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:37 PM, Dominick Grift wrote:
On 03/11/2011 06:33 PM, Dominick Grift wrote:
On 03/11/2011 06:30 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote: > I'm getting a denial that audit2why says is due to constraints. > Sesearch does show that the action has an allow rule.
> Here are the audit messages:
> host=eng-vocngcn03.eng.gci type=AVC > msg=audit(1299844473.770:740848): > avc: denied { sigkill } for pid=22927 comm="kill" > scontext=system_u:system_r:rgmanager_t:s0 > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > tclass=process
> host=eng-vocngcn03.eng.gci type=SYSCALL > msg=audit(1299844473.770:740848): arch=c000003e syscall=62 > success=yes > exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" > subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill? > Here is the result of running sesearch on that same server:
> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t > unconfined_t - > c process -p sigkill > Found 1 av rules: > allow rgmanager_t unconfined_t : process { sigchld sigkill };
> Here is what audit2why says:
> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC > msg=audit(1299844473.770:740848): avc: denied { sigkill } for > pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > tclass=process' > | audit2why > host=eng-vocngcn03.eng.gci type=AVC > msg=audit(1299844473.770:740848): > avc: denied { sigkill } for pid=22927 comm="kill" > scontext=system_u:system_r:rgmanager_t:s0 > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > tclass=process > Was caused by: > Constraint violation. > Check policy/constraints. > Typically, you just need to add a type attribute to > the domain to satisfy the constraint.
> This is a RHEL 5.5 server and it doesn't have the policy source > and I > don't see an rpm available with that. I can't find a constraints > file, > and I assume that's because it doesn't have the source. I'm > trying to > work out how to add the necessary type attribute to the domain. I > do > have a custom policy on the system. It's very long so I'll > include the > relevant pieces:
> require { > type rgmanager_t; > type unconfined_t; > class process { sigkill signal }; > ..<snip>... > }
> allow rgmanager_t unconfined_t:process sigkill; > ..<snip>...
> Is there something I can add to my policy to resolve the > constraints > issue?
> Thanks, > Maria > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Where do I add that line? I tried adding it to my te file but got an error.
[root@eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/ ngiodb.mod /root/ngiodb.te /usr/bin/checkmodule: loading policy configuration from /root/ngiodb.te (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line 111: allow rgmanager_t unconfined_t:process sigkill; mcs_killall(rgmanager_t); /usr/bin/checkmodule: error(s) encountered while parsing configuration
mcs_killall(rgmanager_t) (without the `)
But try my solution first because this solution does not deal with the other sigchld issue.
actually now that i come to think of it this mcs_killall() may be your best solution after all.
I could not confirm that rgmanager_t:s0 needs to sigchld unconfined_t:s0-s0:c0.c1023 process. that was just a guess...
Still i would also try my solution in case it does need to send a child died signal to unconfined_t:s0-s0:c0.1023
Looks like dwalsh was right (mcs_killall(rgmanager_t) is the best solution.
rgmanager_t probably wanted to send sigchld to self (rgmanager_t) probably was the script it was running.
use mcs_killall(rgmanager_t) and ignore my solution of running rgmanager on s0 - mcs_systemhigh, it is too permissive.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 12:48 PM, Dominick Grift wrote:
On 03/11/2011 06:37 PM, Dominick Grift wrote:
On 03/11/2011 06:33 PM, Dominick Grift wrote:
On 03/11/2011 06:30 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote: > On 03/11/2011 10:57 AM, Maria Iano wrote: >> I'm getting a denial that audit2why says is due to constraints. >> Sesearch does show that the action has an allow rule.
>> Here are the audit messages:
>> host=eng-vocngcn03.eng.gci type=AVC >> msg=audit(1299844473.770:740848): >> avc: denied { sigkill } for pid=22927 comm="kill" >> scontext=system_u:system_r:rgmanager_t:s0 >> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 >> tclass=process
>> host=eng-vocngcn03.eng.gci type=SYSCALL >> msg=audit(1299844473.770:740848): arch=c000003e syscall=62 >> success=yes >> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" >> subj=system_u:system_r:rgmanager_t:s0 key=(null)
> You have rgmanager sending a kill signal to a process running as > unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
> I would bet this process is running with the wrong domain. I don't > think you want rgmanager_t sending kill signals to user processes.
> What process was it trying to kill? >> Here is the result of running sesearch on that same server:
>> [root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t >> unconfined_t - >> c process -p sigkill >> Found 1 av rules: >> allow rgmanager_t unconfined_t : process { sigchld sigkill };
>> Here is what audit2why says:
>> [root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC >> msg=audit(1299844473.770:740848): avc: denied { sigkill } for >> pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 >> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 >> tclass=process' >> | audit2why >> host=eng-vocngcn03.eng.gci type=AVC >> msg=audit(1299844473.770:740848): >> avc: denied { sigkill } for pid=22927 comm="kill" >> scontext=system_u:system_r:rgmanager_t:s0 >> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 >> tclass=process >> Was caused by: >> Constraint violation. >> Check policy/constraints. >> Typically, you just need to add a type attribute to >> the domain to satisfy the constraint.
>> This is a RHEL 5.5 server and it doesn't have the policy source >> and I >> don't see an rpm available with that. I can't find a constraints >> file, >> and I assume that's because it doesn't have the source. I'm >> trying to >> work out how to add the necessary type attribute to the domain. I >> do >> have a custom policy on the system. It's very long so I'll >> include the >> relevant pieces:
>> require { >> type rgmanager_t; >> type unconfined_t; >> class process { sigkill signal }; >> ..<snip>... >> }
>> allow rgmanager_t unconfined_t:process sigkill; >> ..<snip>...
>> Is there something I can add to my policy to resolve the >> constraints >> issue?
>> Thanks, >> Maria >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
Where do I add that line? I tried adding it to my te file but got an error.
[root@eng-vocdeviodb01 ~]# /usr/bin/checkmodule -M -m -o /root/ ngiodb.mod /root/ngiodb.te /usr/bin/checkmodule: loading policy configuration from /root/ngiodb.te (unknown source)::ERROR 'syntax error' at token 'mcs_killall' on line 111: allow rgmanager_t unconfined_t:process sigkill; mcs_killall(rgmanager_t); /usr/bin/checkmodule: error(s) encountered while parsing configuration
mcs_killall(rgmanager_t) (without the `)
But try my solution first because this solution does not deal with the other sigchld issue.
actually now that i come to think of it this mcs_killall() may be your best solution after all.
I could not confirm that rgmanager_t:s0 needs to sigchld unconfined_t:s0-s0:c0.c1023 process. that was just a guess...
Still i would also try my solution in case it does need to send a child died signal to unconfined_t:s0-s0:c0.1023
Looks like dwalsh was right (mcs_killall(rgmanager_t) is the best solution.
rgmanager_t probably wanted to send sigchld to self (rgmanager_t) probably was the script it was running.
use mcs_killall(rgmanager_t) and ignore my solution of running rgmanager on s0 - mcs_systemhigh, it is too permissive.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
The lack of :s0 indicates they are running on a RHEL5 box
On Mar 11, 2011, at 11:52 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 11:48 AM, Dominick Grift wrote:
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
Here is the result of running sesearch on that same server:
[root@eng-vocngcn03]# sesearch --allow -s rgmanager_t -t unconfined_t - c process -p sigkill Found 1 av rules: allow rgmanager_t unconfined_t : process { sigchld sigkill };
Here is what audit2why says:
[root@eng-vocngcn03]# echo 'host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process' | audit2why host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process Was caused by: Constraint violation. Check policy/constraints. Typically, you just need to add a type attribute to the domain to satisfy the constraint.
This is a RHEL 5.5 server and it doesn't have the policy source and I don't see an rpm available with that. I can't find a constraints file, and I assume that's because it doesn't have the source. I'm trying to work out how to add the necessary type attribute to the domain. I do have a custom policy on the system. It's very long so I'll include the relevant pieces:
require { type rgmanager_t; type unconfined_t; class process { sigkill signal }; ..<snip>... }
allow rgmanager_t unconfined_t:process sigkill; ..<snip>...
Is there something I can add to my policy to resolve the constraints issue?
Thanks, Maria
Right although unconifned_t:s0-s0:c0.c1023 is almost assured a logged in user. It could have been a shell secript started via a remove ssh call
If an init script had started an unconfined_exec_t executable it would probably run as s0.
To solve the constraint you would need to add
`mcs_killall(rgmanager_t)
That worked - thank you so much!
Maria
On Mar 11, 2011, at 11:48 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
We have red hat clustering running on the server, and the clustering processes are running as rgmanager_t. When we move a service off the server to another node, the clustering software calls a vendor script like the red hat init.d scripts, with the stop command. That vendor script calls another script which is a stop script. That stop scripts if full of kill commands - that match all running processes against various expressions and kill them.
We do have a custom policy with a bunch of allow rules but none of them allow a domain transition.
Thanks, Maria
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:04 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:48 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
We have red hat clustering running on the server, and the clustering processes are running as rgmanager_t. When we move a service off the server to another node, the clustering software calls a vendor script like the red hat init.d scripts, with the stop command. That vendor script calls another script which is a stop script. That stop scripts if full of kill commands - that match all running processes against various expressions and kill them.
We do have a custom policy with a bunch of allow rules but none of them allow a domain transition.
Yes i think i have a reasonable good idea now of what is going on. The easiest solution to the constraint issue would probably be to run rgmanager_t on s0 - mcs_systemhigh.
policy_module(myrgmanager, 1.0.0)
gen_require(` type rgmanager_t, rgmanager_exec_t; ')
init_ranged_daemon_domain(rgmanager_t, rgmanager_exec_t, s0 - mcs_systemhigh)
make -f /usr/share/selinux/devel/Makefile myrgmanager.pp sudo semodule -i myrgmanager.pp
(may or may not fix the mcs constraint issues)
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:10 PM, Dominick Grift wrote:
On 03/11/2011 06:04 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:48 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
We have red hat clustering running on the server, and the clustering processes are running as rgmanager_t. When we move a service off the server to another node, the clustering software calls a vendor script like the red hat init.d scripts, with the stop command. That vendor script calls another script which is a stop script. That stop scripts if full of kill commands - that match all running processes against various expressions and kill them.
We do have a custom policy with a bunch of allow rules but none of them allow a domain transition.
Yes i think i have a reasonable good idea now of what is going on. The easiest solution to the constraint issue would probably be to run rgmanager_t on s0 - mcs_systemhigh.
policy_module(myrgmanager, 1.0.0)
gen_require(` type rgmanager_t, rgmanager_exec_t; ')
init_ranged_daemon_domain(rgmanager_t, rgmanager_exec_t, s0 - mcs_systemhigh)
make -f /usr/share/selinux/devel/Makefile myrgmanager.pp sudo semodule -i myrgmanager.pp
(may or may not fix the mcs constraint issues)
You would need to restart rgmanager and verify (ps auxZ | grep rgmanager) that it runs on s0-s0:c0.c1023 instead of s0.
Thanks, Maria -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Mar 11, 2011, at 12:12 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:10 PM, Dominick Grift wrote:
On 03/11/2011 06:04 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:48 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
We have red hat clustering running on the server, and the clustering processes are running as rgmanager_t. When we move a service off the server to another node, the clustering software calls a vendor script like the red hat init.d scripts, with the stop command. That vendor script calls another script which is a stop script. That stop scripts if full of kill commands - that match all running processes against various expressions and kill them.
We do have a custom policy with a bunch of allow rules but none of them allow a domain transition.
Yes i think i have a reasonable good idea now of what is going on. The easiest solution to the constraint issue would probably be to run rgmanager_t on s0 - mcs_systemhigh.
policy_module(myrgmanager, 1.0.0)
gen_require(` type rgmanager_t, rgmanager_exec_t; ')
init_ranged_daemon_domain(rgmanager_t, rgmanager_exec_t, s0 - mcs_systemhigh)
make -f /usr/share/selinux/devel/Makefile myrgmanager.pp sudo semodule -i myrgmanager.pp
(may or may not fix the mcs constraint issues)
You would need to restart rgmanager and verify (ps auxZ | grep rgmanager) that it runs on s0-s0:c0.c1023 instead of s0.
When I run ps auxZ and grep for rgmanager I get 424 processes listed but rgmanager_t only occurs on the left as the context and not in the name of a process. Also none of them give me the s0 info. I've noticed that generally seems to be hidden on my system. Here's the output of one of them:
system_u:system_r:rgmanager_t root 29683 0.0 0.0 23544 5136 ? S<Ls Mar09 0:00 clurgmgrd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:25 PM, Maria Iano wrote:
On Mar 11, 2011, at 12:12 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 06:10 PM, Dominick Grift wrote:
On 03/11/2011 06:04 PM, Maria Iano wrote:
On Mar 11, 2011, at 11:48 AM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
On 03/11/2011 10:57 AM, Maria Iano wrote: > I'm getting a denial that audit2why says is due to constraints. > Sesearch does show that the action has an allow rule.
> Here are the audit messages:
> host=eng-vocngcn03.eng.gci type=AVC > msg=audit(1299844473.770:740848): > avc: denied { sigkill } for pid=22927 comm="kill" > scontext=system_u:system_r:rgmanager_t:s0 > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > tclass=process
> host=eng-vocngcn03.eng.gci type=SYSCALL > msg=audit(1299844473.770:740848): arch=c000003e syscall=62 > success=yes > exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" > subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
There is no proof that its rgmanager doing that imho. Since rgmanager_t is an unconfined_domain it could be any generic application started by a process running in the rgmanager_t domain (eventually started by rgmanager)
We have red hat clustering running on the server, and the clustering processes are running as rgmanager_t. When we move a service off the server to another node, the clustering software calls a vendor script like the red hat init.d scripts, with the stop command. That vendor script calls another script which is a stop script. That stop scripts if full of kill commands - that match all running processes against various expressions and kill them.
We do have a custom policy with a bunch of allow rules but none of them allow a domain transition.
Yes i think i have a reasonable good idea now of what is going on. The easiest solution to the constraint issue would probably be to run rgmanager_t on s0 - mcs_systemhigh.
policy_module(myrgmanager, 1.0.0)
gen_require(` type rgmanager_t, rgmanager_exec_t; ')
init_ranged_daemon_domain(rgmanager_t, rgmanager_exec_t, s0 - mcs_systemhigh)
make -f /usr/share/selinux/devel/Makefile myrgmanager.pp sudo semodule -i myrgmanager.pp
(may or may not fix the mcs constraint issues)
You would need to restart rgmanager and verify (ps auxZ | grep rgmanager) that it runs on s0-s0:c0.c1023 instead of s0.
When I run ps auxZ and grep for rgmanager I get 424 processes listed but rgmanager_t only occurs on the left as the context and not in the name of a process. Also none of them give me the s0 info. I've noticed that generally seems to be hidden on my system. Here's the output of one of them:
system_u:system_r:rgmanager_t root 29683 0.0 0.0 23544 5136 ? S<Ls Mar09 0:00 clurgmgrd
odd.. Anyways try to reproduce that avc denial and see if the rgmanager_t in the avc denial says s0 or s0-s0:c0.c1023
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Mar 11, 2011, at 11:42 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
I'm trying to track this down and this is what I think so far. I think I was wrong previously about an ssh session being involved. Instead here is what I think is happening.
We have Red Hat clustering running on this server. We send it a command to move one of the services to a different node. Our cluster configuration tells it to call a stop script written by the vendor when stopping the cluster service. That stop script is doing something that causes that AVC error.
We are actually expecting an update to the stop script from the vendor next week because it also causes segfaults and isn't working correctly (although selinux may be part of the reason for it failing).
It's also possible that it's the Red Hat clustering itself that triggers the AVC messages when it stops the service. But I would think we would have heard of that by now if it was the case.
Thanks, Maria
On Mar 11, 2011, at 11:42 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
The process running as rgmanager_t is calling a script written by our vendor which is a red hat start/stop type init.d script. This scripts calls another script which is full of kill commands. The script kills all processes owned by a user called ngio and all owned by a user called ccismgts. It looks up another process ID and kills it but that process is running as rgmanager_t. It also calls some other kill scripts. It also runs an "su -" command as the user ngio which calls a command WSMSrvStop that I can't find anywhere.
If I set the init.d type script to run in a certain domain will that fix it? Or is that most likely running in the rgmanager_t domain because it was called by the cluster management software. Is it the "su -" command perhaps that causes a process to run in unconfined_t? How would I set that to run in a certain domain?
selinux@lists.fedoraproject.org