[refpolicy] initrc_t access to sshd /proc to adjust OOM killer

[refpolicy] initrc_t access to sshd /proc to adjust OOM killer

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 1508 bytes --]

Hi,
the startup script of Open SSH server on the Debian Sid adjusts the OOM
killer to not kill sshd in the condition of OOM. It simply does

    printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true

BTW: I am not certain if this do exactly what was intended, because this
parameter is inherited by all child processes, as one can see using
attached simple script.

Nevertheless I don't know how to enable such write under SE Linux. It
triggers:

[   66.417499] type=1400 audit(1209737438.955:6): avc:  denied  { write
} for  pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
context=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file

I wrote attached patch, but the denial still appears.

sid:~# sesearch --allow -s initrc_t  -t sshd_t -c file 
WARNING: This policy contained disabled aliases; they have been removed.
Found 3 semantic av rules:
   allow @ttr1634 @ttr2356 : file { ioctl read getattr lock }; 
   allow initrc_t sshd_t : file { ioctl write getattr lock append }; 
   allow initrc_t @ttr2356 : file { ioctl read getattr lock }; 

sid:~# sestatus   
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 22
Policy from config file:        refpolicy
sid:~# uname -a
Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux

What am I doing wrong please?
Best Regards
-- 
Zito

[-- Attachment #2: ps_oom_adj --]
[-- Type: text/plain, Size: 251 bytes --]

#!/bin/bash
ps axf|perl -lpe '
    my $adj = "";
    if (m/^\s*(\d+)/) {
	if ( open(my $fh, "<", "/proc/$1/oom_adj") ) {
	    $adj = <$fh>;
	    chomp $adj;
	    close($fh);
	}
    } else {
	$adj = "OMA";
    }
    $_ = sprintf("%3s %s", $adj, $_);
'

[-- Attachment #3: ssh-oom-adj --]
[-- Type: text/plain, Size: 1485 bytes --]

---
 policy/modules/services/ssh.if |   19 +++++++++++++++++++
 policy/modules/system/init.te  |    2 ++
 2 files changed, 21 insertions(+)

Index: refpolicy-svn/policy/modules/services/ssh.if
===================================================================
--- refpolicy-svn.orig/policy/modules/services/ssh.if	2008-05-02 14:36:38.000000000 +0200
+++ refpolicy-svn/policy/modules/services/ssh.if	2008-05-02 14:37:51.000000000 +0200
@@ -626,6 +626,25 @@
 
 ########################################
 ## <summary>
+##	Allow to write to files of ssh server under /proc
+##	primarily to adjust the OOM killer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow access.
+##	</summary>
+## </param>
+#
+interface(`ssh_proc_write',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:file write_file_perms;
+')
+
+########################################
+## <summary>
 ##	Connect to SSH daemons over TCP sockets.  (Deprecated)
 ## </summary>
 ## <param name="domain">
Index: refpolicy-svn/policy/modules/system/init.te
===================================================================
--- refpolicy-svn.orig/policy/modules/system/init.te	2008-05-02 14:36:43.000000000 +0200
+++ refpolicy-svn/policy/modules/system/init.te	2008-05-02 14:36:43.000000000 +0200
@@ -743,6 +743,8 @@
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
+# Debian startup script adjusts OOM killer to not kill sshd.
+	ssh_proc_write(initrc_t)
 ')
 
 optional_policy(`

Re: [refpolicy] initrc_t access to sshd /proc to adjust OOM killer

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Václav Ovsík wrote:
> Hi,
> the startup script of Open SSH server on the Debian Sid adjusts the OOM
> killer to not kill sshd in the condition of OOM. It simply does
> 
>     printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
> 
> BTW: I am not certain if this do exactly what was intended, because this
> parameter is inherited by all child processes, as one can see using
> attached simple script.
> 
> Nevertheless I don't know how to enable such write under SE Linux. It
> triggers:
> 
> [   66.417499] type=1400 audit(1209737438.955:6): avc:  denied  { write
> } for  pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
> context=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
> 
> I wrote attached patch, but the denial still appears.
> 
> sid:~# sesearch --allow -s initrc_t  -t sshd_t -c file 
> WARNING: This policy contained disabled aliases; they have been removed.
> Found 3 semantic av rules:
>    allow @ttr1634 @ttr2356 : file { ioctl read getattr lock }; 
>    allow initrc_t sshd_t : file { ioctl write getattr lock append }; 
>    allow initrc_t @ttr2356 : file { ioctl read getattr lock }; 
> 
> sid:~# sestatus   
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 22
> Policy from config file:        refpolicy
> sid:~# uname -a
> Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
> 
> What am I doing wrong please?
> Best Regards
> 
Run the avc messages through audit2why
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgbLhQACgkQrlYvE4MpobPWYgCeJk1o6mgpEESA92OMKdB1/cDh
SagAn3IXRfQ36jry/E6UB6K2c/rZf1G3
=y3Lj
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy] initrc_t access to sshd /proc to adjust OOM killer

[Václav Ovsík]

On Fri, May 02, 2008 at 11:07:01AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Václav Ovsík wrote:
> > Hi,
> > the startup script of Open SSH server on the Debian Sid adjusts the OOM
> > killer to not kill sshd in the condition of OOM. It simply does
> > 
> >     printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
> > 
> > BTW: I am not certain if this do exactly what was intended, because this
> > parameter is inherited by all child processes, as one can see using
> > attached simple script.
> > 
> > Nevertheless I don't know how to enable such write under SE Linux. It
> > triggers:
> > 
> > [   66.417499] type=1400 audit(1209737438.955:6): avc:  denied  { write
> > } for  pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
> > context=system_u:system_r:initrc_t:s0
> > tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
> > 
> > I wrote attached patch, but the denial still appears.
> > 
> > sid:~# sesearch --allow -s initrc_t  -t sshd_t -c file 
> > WARNING: This policy contained disabled aliases; they have been removed.
> > Found 3 semantic av rules:
> >    allow @ttr1634 @ttr2356 : file { ioctl read getattr lock }; 
> >    allow initrc_t sshd_t : file { ioctl write getattr lock append }; 
> >    allow initrc_t @ttr2356 : file { ioctl read getattr lock }; 
> > 
> > sid:~# sestatus   
> > SELinux status:                 enabled
> > SELinuxfs mount:                /selinux
> > Current mode:                   permissive
> > Mode from config file:          permissive
> > Policy version:                 22
> > Policy from config file:        refpolicy
> > sid:~# uname -a
> > Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
> > 
> > What am I doing wrong please?
> > Best Regards
> > 
> Run the avc messages through audit2why

Great, I got:

[   19.816342] type=1400 audit(1209977556.108:5): avc:  denied  { write } for  pid=1466 comm="S16ssh" name="oom_adj" dev=proc ino=5408 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file

        Was caused by:
                Policy constraint violation.

                May require adding a type attribute to the domain or type to satisfy the constraint.

                Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).


I expected problems to enable such thing (to write to file with context
of domain). Constraints in policy/constraints etc are rather complex.
Now I am going in the way of the least friction :) - to fill bugreport
against openssh-server with a patch, that will do OOM adjustment in the
C-code by sshd itself (like udev does).

IMO to write into /proc/N/oom_adj can be need by administrator
sometimes, so there should be some role capable to write there.

Thanks
-- 
Zito

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy] initrc_t access to sshd /proc to adjust OOM killer

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Václav Ovsík wrote:
> On Fri, May 02, 2008 at 11:07:01AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Václav Ovsík wrote:
>>> Hi,
>>> the startup script of Open SSH server on the Debian Sid adjusts the OOM
>>> killer to not kill sshd in the condition of OOM. It simply does
>>>
>>>     printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
>>>
>>> BTW: I am not certain if this do exactly what was intended, because this
>>> parameter is inherited by all child processes, as one can see using
>>> attached simple script.
>>>
>>> Nevertheless I don't know how to enable such write under SE Linux. It
>>> triggers:
>>>
>>> [   66.417499] type=1400 audit(1209737438.955:6): avc:  denied  { write
>>> } for  pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
>>> context=system_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
>>>
>>> I wrote attached patch, but the denial still appears.
>>>
>>> sid:~# sesearch --allow -s initrc_t  -t sshd_t -c file 
>>> WARNING: This policy contained disabled aliases; they have been removed.
>>> Found 3 semantic av rules:
>>>    allow @ttr1634 @ttr2356 : file { ioctl read getattr lock }; 
>>>    allow initrc_t sshd_t : file { ioctl write getattr lock append }; 
>>>    allow initrc_t @ttr2356 : file { ioctl read getattr lock }; 
>>>
>>> sid:~# sestatus   
>>> SELinux status:                 enabled
>>> SELinuxfs mount:                /selinux
>>> Current mode:                   permissive
>>> Mode from config file:          permissive
>>> Policy version:                 22
>>> Policy from config file:        refpolicy
>>> sid:~# uname -a
>>> Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
>>>
>>> What am I doing wrong please?
>>> Best Regards
>>>
>> Run the avc messages through audit2why
> 
> Great, I got:
> 
> [   19.816342] type=1400 audit(1209977556.108:5): avc:  denied  { write } for  pid=1466 comm="S16ssh" name="oom_adj" dev=proc ino=5408 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
> 
>         Was caused by:
>                 Policy constraint violation.
> 
>                 May require adding a type attribute to the domain or type to satisfy the constraint.
> 
>                 Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
> 
> 
> I expected problems to enable such thing (to write to file with context
> of domain). Constraints in policy/constraints etc are rather complex.
> Now I am going in the way of the least friction :) - to fill bugreport
> against openssh-server with a patch, that will do OOM adjustment in the
> C-code by sshd itself (like udev does).
> 
> IMO to write into /proc/N/oom_adj can be need by administrator
> sometimes, so there should be some role capable to write there.
> 
> Thanks

The problem is that initrc_t is running at s0 and you are trying to
communicate with s0-s0:c0.c1024.  I think at reboot this would work.
Strange that you are logging in at s0?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgfOs4ACgkQrlYvE4MpobOYVgCfY2YspBbF2/y5lmAXHEECt1W5
r6AAoLoZJaDsgCU9YKiT3SaApiSz2Q2n
=04UL
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [refpolicy] initrc_t access to sshd /proc to adjust OOM killer

[Václav Ovsík]

On Mon, May 05, 2008 at 12:50:22PM -0400, Daniel J Walsh wrote:
...
> Václav Ovsík wrote:
...
> > Great, I got:
> > 
> > [   19.816342] type=1400 audit(1209977556.108:5): avc:  denied  { write } for  pid=1466 comm="S16ssh" name="oom_adj" dev=proc ino=5408 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
> > 
> >         Was caused by:
> >                 Policy constraint violation.
> > 
> >                 May require adding a type attribute to the domain or type to satisfy the constraint.
> > 
> >                 Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
> > 
> > 
> > I expected problems to enable such thing (to write to file with context
> > of domain). Constraints in policy/constraints etc are rather complex.
> > Now I am going in the way of the least friction :) - to fill bugreport
> > against openssh-server with a patch, that will do OOM adjustment in the
> > C-code by sshd itself (like udev does).
> > 
> > IMO to write into /proc/N/oom_adj can be need by administrator
> > sometimes, so there should be some role capable to write there.
> > 
> > Thanks
> 
> The problem is that initrc_t is running at s0 and you are trying to
> communicate with s0-s0:c0.c1024.  I think at reboot this would work.
> Strange that you are logging in at s0?
...

Yes, you are right! I did ssh to machine and then run
newrole -r sysadm_r from account with default MLS - s0.

sid:~# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               user_u                    s0                       
root                      root                      s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           
zito                      staff_u                   s0                       

When I login directly on console as root, I have context
root:sysadm_r:sysadm_t:s0-s0:c0.c1023 and after adding the TE rule:

    allow sysadm_t sshd_t:file write_file_perms;

The operation

    echo 0 >/proc/$(</var/run/sshd.pid )/oom_adj

was quiet! The operation in boot sshd startup script in domain initrc_t
has also level s0 only. I must learn more about MLS and play with it
a bit.
Thanks for reply.
-- 
Zito

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.