[DSE-Dev] [refpolicy] initrc_t access to sshd /proc to adjust OOM killer

Daniel J Walsh dwalsh at redhat.com
Fri May 2 15:07:01 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Václav Ovsík wrote:
> Hi,
> the startup script of Open SSH server on the Debian Sid adjusts the OOM
> killer to not kill sshd in the condition of OOM. It simply does
> 
>     printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
> 
> BTW: I am not certain if this do exactly what was intended, because this
> parameter is inherited by all child processes, as one can see using
> attached simple script.
> 
> Nevertheless I don't know how to enable such write under SE Linux. It
> triggers:
> 
> [   66.417499] type=1400 audit(1209737438.955:6): avc:  denied  { write
> } for  pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
> context=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
> 
> I wrote attached patch, but the denial still appears.
> 
> sid:~# sesearch --allow -s initrc_t  -t sshd_t -c file 
> WARNING: This policy contained disabled aliases; they have been removed.
> Found 3 semantic av rules:
>    allow @ttr1634 @ttr2356 : file { ioctl read getattr lock }; 
>    allow initrc_t sshd_t : file { ioctl write getattr lock append }; 
>    allow initrc_t @ttr2356 : file { ioctl read getattr lock }; 
> 
> sid:~# sestatus   
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 22
> Policy from config file:        refpolicy
> sid:~# uname -a
> Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
> 
> What am I doing wrong please?
> Best Regards
> 
Run the avc messages through audit2why
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgbLhQACgkQrlYvE4MpobPWYgCeJk1o6mgpEESA92OMKdB1/cDh
SagAn3IXRfQ36jry/E6UB6K2c/rZf1G3
=y3Lj
-----END PGP SIGNATURE-----



More information about the SELinux-devel mailing list