domain_kill_all_domains in login programs

domain_kill_all_domains in login programs

[Joe Nall]

There is a domain_kill_all_domains in auth_login_pgm_domain that allows sshd and other login programs to send sigkill to auditd and other system processes that were probably not intended.

For auditd, I can create domain_kill_all_domains_except and put auditd in the exception list. This still leaves processes that use auth_login_pgm_domain with the ability to kill many unrelated system processes.

Another approach is to allow login programs to only kill programs with an attribute like userdomain.

Thoughts?

joe

grep through RH policy, refpolicy is similar

find . -name \*.if -exec grep -H auth_login_pgm_domain {} \;
./policy/modules/system/authlogin.if:interface(`auth_login_pgm_domain',`
./policy/modules/services/ssh.if:	auth_login_pgm_domain($1_t)

find . -name \*.te -exec grep -H auth_login_pgm_domain {} \;
./policy/modules/system/locallogin.te:auth_login_pgm_domain(local_login_t)
./policy/modules/services/xserver.te:auth_login_pgm_domain(xdm_t)
./policy/modules/services/rshd.te:auth_login_pgm_domain(rshd_t)
./policy/modules/services/rlogin.te:auth_login_pgm_domain(rlogind_t)
./policy/modules/services/remotelogin.te:auth_login_pgm_domain(remote_login_t)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: domain_kill_all_domains in login programs

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/05/2012 11:45 AM, Joe Nall wrote:
> There is a domain_kill_all_domains in auth_login_pgm_domain that allows
> sshd and other login programs to send sigkill to auditd and other system
> processes that were probably not intended.
> 
> For auditd, I can create domain_kill_all_domains_except and put auditd in
> the exception list. This still leaves processes that use
> auth_login_pgm_domain with the ability to kill many unrelated system
> processes.
> 
> Another approach is to allow login programs to only kill programs with an
> attribute like userdomain.
> 
> Thoughts?
> 
> joe
> 
> grep through RH policy, refpolicy is similar
> 
> find . -name \*.if -exec grep -H auth_login_pgm_domain {} \; 
> ./policy/modules/system/authlogin.if:interface(`auth_login_pgm_domain',` 
> ./policy/modules/services/ssh.if:	auth_login_pgm_domain($1_t)
> 
> find . -name \*.te -exec grep -H auth_login_pgm_domain {} \; 
> ./policy/modules/system/locallogin.te:auth_login_pgm_domain(local_login_t) 
> ./policy/modules/services/xserver.te:auth_login_pgm_domain(xdm_t) 
> ./policy/modules/services/rshd.te:auth_login_pgm_domain(rshd_t) 
> ./policy/modules/services/rlogin.te:auth_login_pgm_domain(rlogind_t) 
> ./policy/modules/services/remotelogin.te:auth_login_pgm_domain(remote_login_t)
>
>  -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
> 
> 


I guess the problem here is killing all domains that a user domain could
transition to.

It would be better to set this to killall application_domain_types.


application_kill_all()


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBHiWIACgkQrlYvE4MpobNr5gCg3LW8EKJYg7Zsrw9k6D3yG89j
HhYAoOlxMA/tNqPtfw3qiBBIfGgcO3df
=kglk
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.