[DSE-Dev] [refpolicy] initrc_t access to sshd /proc to adjust OOM killer

Mon May 5 13:05:21 UTC 2008

On Fri, May 02, 2008 at 11:07:01AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Václav Ovsík wrote:
> > Hi,
> > the startup script of Open SSH server on the Debian Sid adjusts the OOM
> > killer to not kill sshd in the condition of OOM. It simply does
> > 
> >     printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
> > 
> > BTW: I am not certain if this do exactly what was intended, because this
> > parameter is inherited by all child processes, as one can see using
> > attached simple script.
> > 
> > Nevertheless I don't know how to enable such write under SE Linux. It
> > triggers:
> > 
> > [   66.417499] type=1400 audit(1209737438.955:6): avc:  denied  { write
> > } for  pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
> > context=system_u:system_r:initrc_t:s0
> > tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
> > 
> > I wrote attached patch, but the denial still appears.
> > 
> > sid:~# sesearch --allow -s initrc_t  -t sshd_t -c file 
> > WARNING: This policy contained disabled aliases; they have been removed.
> > Found 3 semantic av rules:
> >    allow @ttr1634 @ttr2356 : file { ioctl read getattr lock }; 
> >    allow initrc_t sshd_t : file { ioctl write getattr lock append }; 
> >    allow initrc_t @ttr2356 : file { ioctl read getattr lock }; 
> > 
> > sid:~# sestatus   
> > SELinux status:                 enabled
> > SELinuxfs mount:                /selinux
> > Current mode:                   permissive
> > Mode from config file:          permissive
> > Policy version:                 22
> > Policy from config file:        refpolicy
> > sid:~# uname -a
> > Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
> > 
> > What am I doing wrong please?
> > Best Regards
> > 
> Run the avc messages through audit2why

Great, I got:

[   19.816342] type=1400 audit(1209977556.108:5): avc:  denied  { write } for  pid=1466 comm="S16ssh" name="oom_adj" dev=proc ino=5408 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file

        Was caused by:
                Policy constraint violation.

                May require adding a type attribute to the domain or type to satisfy the constraint.

                Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).

I expected problems to enable such thing (to write to file with context
of domain). Constraints in policy/constraints etc are rather complex.
Now I am going in the way of the least friction :) - to fill bugreport
against openssh-server with a patch, that will do OOM adjustment in the
C-code by sshd itself (like udev does).

IMO to write into /proc/N/oom_adj can be need by administrator
sometimes, so there should be some role capable to write there.

Thanks
-- 
Zito