Bug 811334

Summary: SELinux constraint is preventing systemd-logind from killing unconfined_t, unconfined_execmem_t
Product: [Fedora] Fedora Reporter: Jonathan Abbey <jonabbey>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-84.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-26 03:53:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
A policy te file that I created to permit systemd_login_t to signal/kill processes started by users.
none
Limited te file that shows the constraint warnings
none
AVC, SYSCALL entries for systemd-logind errors
none
Fixed version of our custom policy none

Description Jonathan Abbey 2012-04-10 18:08:02 UTC
Created attachment 576539 [details]
A policy te file that I created to permit systemd_login_t to signal/kill processes started by users.

Description of problem:

We're trying to use pam_systemd's kill-session-processes option to kill any processes started by a user when the user logs out.

We created a custom policy (attached) to permit process type systemd_logind_t
to signal and kill a variety of processes that our users are running, but
attempts to allow systemd_logind_t to send sigkill to unconfined_t and
unconfined_execmec_t are failing due to a constraint error when I run
audit2allow / semodule -i.

Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-80.fc16.noarch
selinux-policy-targeted-3.10.0-80.fc16.noarch
systemd-37-17.fc16.x86_64

It seems that there may be two bugs here.  First, that the default targeted policy does not allow systemd_logind_t to signal / kill most processes that can be started by a user, and second that there is a policy constraint which prevents me from creating a policy to do this myself.

Comment 1 Jonathan Abbey 2012-04-10 18:17:33 UTC
Incidentally, the reason why this policy includes permission for systemd_logind_t to kill processes of type sshd_t is that we're using the FreeNX server, and our use of pam_systemd appears to be causing the sshd_t child processes triggered by the ssh to authenticated-user@localhost performed by the nx user on an NX connection to be part of authenticated-user's process cgroup that systemd_login_t tries to kill.

I'm not sure that's proper behavior there, but that's why those otherwise strange lines are in our systemd_killer.te file.

Comment 2 Jonathan Abbey 2012-04-10 18:21:06 UTC
Created attachment 576542 [details]
Limited te file that shows the constraint warnings

This mypol.te file shows the constraint warnings that we get from running audit2allow on our most recent systemd_login_t -> unconfined_t, systemd_login_t -> unconfined_execmem_t AVC denials for sigkill.

Comment 3 Jonathan Abbey 2012-04-10 18:22:08 UTC
Comment on attachment 576539 [details]
A policy te file that I created to permit systemd_login_t to signal/kill processes started by users.

Fixed MIME type on textual policy file.

Comment 4 Daniel Walsh 2012-04-10 18:38:57 UTC
Can  you send us the auditlogs that you are being blocked by constraints.

Comment 5 Daniel Walsh 2012-04-10 18:48:07 UTC
I am adding 

userdom_signal_users(systemd_logind_t)
userdom_signull_users(systemd_logind_t)
userdom_kill_all_users(systemd_logind_t)
application_signal(systemd_logind_t)
application_signull(systemd_logind_t)
application_sigkill(systemd_logind_t)

to F17.

Which should handle most of these.

Comment 6 Jonathan Abbey 2012-04-10 19:09:12 UTC
Created attachment 576561 [details]
AVC, SYSCALL entries for systemd-logind errors

Sure, here you go.

Comment 7 Jonathan Abbey 2012-04-10 19:44:09 UTC
Created attachment 576573 [details]
Fixed version of our custom policy

Okay, it looks like some of those macros aren't defined in F16, but from reading /usr/share/selinux/devel/include/system/application.if and /usr/share/selinux/devel/include/system/userdomain.if, it looks like this revised version of our policy does the right magic with attributes to do what we want.

Thanks!

Comment 8 Daniel Walsh 2012-04-10 20:11:53 UTC
Yes I added the missing interfaces to F17, and I am sure Miroslav will back port them to F16.

Comment 9 Miroslav Grepl 2012-04-11 07:37:21 UTC
Backported.

Comment 10 Fedora Update System 2012-04-18 12:56:08 UTC
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16

Comment 11 Fedora Update System 2012-04-22 03:38:31 UTC
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Jonathan Abbey 2012-04-24 13:46:10 UTC
I'm still getting an AVC denied as followed:

type=AVC msg=audit(1335216458.579:11168): avc:  denied  { sigkill } for  pid=1489 comm="systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

after applying the update to selinux-policy-3.10.0-84.fc16.

When I run audit2allow on this, I get

#============= systemd_logind_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Constraint rule: 
allow systemd_logind_t unconfined_t:process sigkill;

Comment 13 Daniel Walsh 2012-04-24 15:37:42 UTC
Add a local policy containing 

mcs_killall(systemd_logind_t)

Should fix that problem.

Comment 14 Jonathan Abbey 2012-04-24 17:37:19 UTC
Okay, I've put a custom policy module in for that, and it seemed happy with that macro.

If I see any more AVC problems I'll report back, but things look good for now.

Comment 15 Daniel Walsh 2012-04-24 18:17:36 UTC
I added the fix for F17 selinux-policy-3.10.0-119.fc17.noarch

Comment 16 Miroslav Grepl 2012-06-22 14:26:54 UTC
Fixed in selinux-policy-3.10.0-90.fc16

Comment 17 Fedora Update System 2012-07-02 08:47:43 UTC
selinux-policy-3.10.0-90.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-90.fc16

Comment 18 Fedora Update System 2012-07-03 15:49:37 UTC
Package selinux-policy-3.10.0-90.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-90.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10203/selinux-policy-3.10.0-90.fc16
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2012-07-26 03:53:09 UTC
selinux-policy-3.10.0-90.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.