[DSE-Dev] [refpolicy] initrc_t access to sshd /proc to adjust OOM killer
Václav Ovsík
vaclav.ovsik at i.cz
Fri May 2 14:30:42 UTC 2008
Hi,
the startup script of Open SSH server on the Debian Sid adjusts the OOM
killer to not kill sshd in the condition of OOM. It simply does
printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
BTW: I am not certain if this do exactly what was intended, because this
parameter is inherited by all child processes, as one can see using
attached simple script.
Nevertheless I don't know how to enable such write under SE Linux. It
triggers:
[ 66.417499] type=1400 audit(1209737438.955:6): avc: denied { write
} for pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
context=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
I wrote attached patch, but the denial still appears.
sid:~# sesearch --allow -s initrc_t -t sshd_t -c file
WARNING: This policy contained disabled aliases; they have been removed.
Found 3 semantic av rules:
allow @ttr1634 @ttr2356 : file { ioctl read getattr lock };
allow initrc_t sshd_t : file { ioctl write getattr lock append };
allow initrc_t @ttr2356 : file { ioctl read getattr lock };
sid:~# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 22
Policy from config file: refpolicy
sid:~# uname -a
Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
What am I doing wrong please?
Best Regards
--
Zito
-------------- next part --------------
#!/bin/bash
ps axf|perl -lpe '
my $adj = "";
if (m/^\s*(\d+)/) {
if ( open(my $fh, "<", "/proc/$1/oom_adj") ) {
$adj = <$fh>;
chomp $adj;
close($fh);
}
} else {
$adj = "OMA";
}
$_ = sprintf("%3s %s", $adj, $_);
'
-------------- next part --------------
---
policy/modules/services/ssh.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 21 insertions(+)
Index: refpolicy-svn/policy/modules/services/ssh.if
===================================================================
--- refpolicy-svn.orig/policy/modules/services/ssh.if 2008-05-02 14:36:38.000000000 +0200
+++ refpolicy-svn/policy/modules/services/ssh.if 2008-05-02 14:37:51.000000000 +0200
@@ -626,6 +626,25 @@
########################################
## <summary>
+## Allow to write to files of ssh server under /proc
+## primarily to adjust the OOM killer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`ssh_proc_write',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:file write_file_perms;
+')
+
+########################################
+## <summary>
## Connect to SSH daemons over TCP sockets. (Deprecated)
## </summary>
## <param name="domain">
Index: refpolicy-svn/policy/modules/system/init.te
===================================================================
--- refpolicy-svn.orig/policy/modules/system/init.te 2008-05-02 14:36:43.000000000 +0200
+++ refpolicy-svn/policy/modules/system/init.te 2008-05-02 14:36:43.000000000 +0200
@@ -743,6 +743,8 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
+# Debian startup script adjusts OOM killer to not kill sshd.
+ ssh_proc_write(initrc_t)
')
optional_policy(`
More information about the SELinux-devel
mailing list