From: Daniel J Walsh <dwalsh@redhat.com>
To: "Václav Ovsík" <vaclav.ovsik@i.cz>
Cc: selinux@tycho.nsa.gov, selinux-devel@lists.alioth.debian.org,
debian-ssh@lists.debian.org
Subject: Re: [refpolicy] initrc_t access to sshd /proc to adjust OOM killer
Date: Fri, 02 May 2008 11:07:01 -0400 [thread overview]
Message-ID: <481B2E15.7070703@redhat.com> (raw)
In-Reply-To: <20080502143041.GA26592@bobek.pm.i.cz>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Václav Ovsík wrote:
> Hi,
> the startup script of Open SSH server on the Debian Sid adjusts the OOM
> killer to not kill sshd in the condition of OOM. It simply does
>
> printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
>
> BTW: I am not certain if this do exactly what was intended, because this
> parameter is inherited by all child processes, as one can see using
> attached simple script.
>
> Nevertheless I don't know how to enable such write under SE Linux. It
> triggers:
>
> [ 66.417499] type=1400 audit(1209737438.955:6): avc: denied { write
> } for pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
> context=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
>
> I wrote attached patch, but the denial still appears.
>
> sid:~# sesearch --allow -s initrc_t -t sshd_t -c file
> WARNING: This policy contained disabled aliases; they have been removed.
> Found 3 semantic av rules:
> allow @ttr1634 @ttr2356 : file { ioctl read getattr lock };
> allow initrc_t sshd_t : file { ioctl write getattr lock append };
> allow initrc_t @ttr2356 : file { ioctl read getattr lock };
>
> sid:~# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 22
> Policy from config file: refpolicy
> sid:~# uname -a
> Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
>
> What am I doing wrong please?
> Best Regards
>
Run the avc messages through audit2why
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgbLhQACgkQrlYvE4MpobPWYgCeJk1o6mgpEESA92OMKdB1/cDh
SagAn3IXRfQ36jry/E6UB6K2c/rZf1G3
=y3Lj
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-05-02 15:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-02 14:30 [refpolicy] initrc_t access to sshd /proc to adjust OOM killer Václav Ovsík
2008-05-02 15:07 ` Daniel J Walsh [this message]
2008-05-05 13:05 ` Václav Ovsík
2008-05-05 16:50 ` Daniel J Walsh
2008-05-06 14:04 ` Václav Ovsík
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=481B2E15.7070703@redhat.com \
--to=dwalsh@redhat.com \
--cc=debian-ssh@lists.debian.org \
--cc=selinux-devel@lists.alioth.debian.org \
--cc=selinux@tycho.nsa.gov \
--cc=vaclav.ovsik@i.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.