[DSE-Dev] [refpolicy] initrc_t access to sshd /proc to adjust OOM killer
Daniel J Walsh
dwalsh at redhat.com
Fri May 2 15:07:01 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Václav Ovsík wrote:
> Hi,
> the startup script of Open SSH server on the Debian Sid adjusts the OOM
> killer to not kill sshd in the condition of OOM. It simply does
>
> printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
>
> BTW: I am not certain if this do exactly what was intended, because this
> parameter is inherited by all child processes, as one can see using
> attached simple script.
>
> Nevertheless I don't know how to enable such write under SE Linux. It
> triggers:
>
> [ 66.417499] type=1400 audit(1209737438.955:6): avc: denied { write
> } for pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
> context=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
>
> I wrote attached patch, but the denial still appears.
>
> sid:~# sesearch --allow -s initrc_t -t sshd_t -c file
> WARNING: This policy contained disabled aliases; they have been removed.
> Found 3 semantic av rules:
> allow @ttr1634 @ttr2356 : file { ioctl read getattr lock };
> allow initrc_t sshd_t : file { ioctl write getattr lock append };
> allow initrc_t @ttr2356 : file { ioctl read getattr lock };
>
> sid:~# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 22
> Policy from config file: refpolicy
> sid:~# uname -a
> Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
>
> What am I doing wrong please?
> Best Regards
>
Run the avc messages through audit2why
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgbLhQACgkQrlYvE4MpobPWYgCeJk1o6mgpEESA92OMKdB1/cDh
SagAn3IXRfQ36jry/E6UB6K2c/rZf1G3
=y3Lj
-----END PGP SIGNATURE-----
More information about the SELinux-devel
mailing list