[DSE-Dev] [refpolicy] initrc_t access to sshd /proc to adjust OOM killer
Daniel J Walsh
dwalsh at redhat.com
Mon May 5 16:50:22 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Václav Ovsík wrote:
> On Fri, May 02, 2008 at 11:07:01AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Václav Ovsík wrote:
>>> Hi,
>>> the startup script of Open SSH server on the Debian Sid adjusts the OOM
>>> killer to not kill sshd in the condition of OOM. It simply does
>>>
>>> printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
>>>
>>> BTW: I am not certain if this do exactly what was intended, because this
>>> parameter is inherited by all child processes, as one can see using
>>> attached simple script.
>>>
>>> Nevertheless I don't know how to enable such write under SE Linux. It
>>> triggers:
>>>
>>> [ 66.417499] type=1400 audit(1209737438.955:6): avc: denied { write
>>> } for pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
>>> context=system_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
>>>
>>> I wrote attached patch, but the denial still appears.
>>>
>>> sid:~# sesearch --allow -s initrc_t -t sshd_t -c file
>>> WARNING: This policy contained disabled aliases; they have been removed.
>>> Found 3 semantic av rules:
>>> allow @ttr1634 @ttr2356 : file { ioctl read getattr lock };
>>> allow initrc_t sshd_t : file { ioctl write getattr lock append };
>>> allow initrc_t @ttr2356 : file { ioctl read getattr lock };
>>>
>>> sid:~# sestatus
>>> SELinux status: enabled
>>> SELinuxfs mount: /selinux
>>> Current mode: permissive
>>> Mode from config file: permissive
>>> Policy version: 22
>>> Policy from config file: refpolicy
>>> sid:~# uname -a
>>> Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
>>>
>>> What am I doing wrong please?
>>> Best Regards
>>>
>> Run the avc messages through audit2why
>
> Great, I got:
>
> [ 19.816342] type=1400 audit(1209977556.108:5): avc: denied { write } for pid=1466 comm="S16ssh" name="oom_adj" dev=proc ino=5408 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
>
> Was caused by:
> Policy constraint violation.
>
> May require adding a type attribute to the domain or type to satisfy the constraint.
>
> Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
>
>
> I expected problems to enable such thing (to write to file with context
> of domain). Constraints in policy/constraints etc are rather complex.
> Now I am going in the way of the least friction :) - to fill bugreport
> against openssh-server with a patch, that will do OOM adjustment in the
> C-code by sshd itself (like udev does).
>
> IMO to write into /proc/N/oom_adj can be need by administrator
> sometimes, so there should be some role capable to write there.
>
> Thanks
The problem is that initrc_t is running at s0 and you are trying to
communicate with s0-s0:c0.c1024. I think at reboot this would work.
Strange that you are logging in at s0?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgfOs4ACgkQrlYvE4MpobOYVgCfY2YspBbF2/y5lmAXHEECt1W5
r6AAoLoZJaDsgCU9YKiT3SaApiSz2Q2n
=04UL
-----END PGP SIGNATURE-----
More information about the SELinux-devel
mailing list