Bug 811334
| Summary: | SELinux constraint is preventing systemd-logind from killing unconfined_t, unconfined_execmem_t | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonathan Abbey <jonabbey> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.10.0-84.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-07-26 03:53:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
Incidentally, the reason why this policy includes permission for systemd_logind_t to kill processes of type sshd_t is that we're using the FreeNX server, and our use of pam_systemd appears to be causing the sshd_t child processes triggered by the ssh to authenticated-user@localhost performed by the nx user on an NX connection to be part of authenticated-user's process cgroup that systemd_login_t tries to kill. I'm not sure that's proper behavior there, but that's why those otherwise strange lines are in our systemd_killer.te file. Created attachment 576542 [details]
Limited te file that shows the constraint warnings
This mypol.te file shows the constraint warnings that we get from running audit2allow on our most recent systemd_login_t -> unconfined_t, systemd_login_t -> unconfined_execmem_t AVC denials for sigkill.
Comment on attachment 576539 [details]
A policy te file that I created to permit systemd_login_t to signal/kill processes started by users.
Fixed MIME type on textual policy file.
Can you send us the auditlogs that you are being blocked by constraints. I am adding userdom_signal_users(systemd_logind_t) userdom_signull_users(systemd_logind_t) userdom_kill_all_users(systemd_logind_t) application_signal(systemd_logind_t) application_signull(systemd_logind_t) application_sigkill(systemd_logind_t) to F17. Which should handle most of these. Created attachment 576561 [details]
AVC, SYSCALL entries for systemd-logind errors
Sure, here you go.
Created attachment 576573 [details]
Fixed version of our custom policy
Okay, it looks like some of those macros aren't defined in F16, but from reading /usr/share/selinux/devel/include/system/application.if and /usr/share/selinux/devel/include/system/userdomain.if, it looks like this revised version of our policy does the right magic with attributes to do what we want.
Thanks!
Yes I added the missing interfaces to F17, and I am sure Miroslav will back port them to F16. Backported. selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16 selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. I'm still getting an AVC denied as followed:
type=AVC msg=audit(1335216458.579:11168): avc: denied { sigkill } for pid=1489 comm="systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
after applying the update to selinux-policy-3.10.0-84.fc16.
When I run audit2allow on this, I get
#============= systemd_logind_t ==============
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Constraint rule:
allow systemd_logind_t unconfined_t:process sigkill;
Add a local policy containing mcs_killall(systemd_logind_t) Should fix that problem. Okay, I've put a custom policy module in for that, and it seemed happy with that macro. If I see any more AVC problems I'll report back, but things look good for now. I added the fix for F17 selinux-policy-3.10.0-119.fc17.noarch Fixed in selinux-policy-3.10.0-90.fc16 selinux-policy-3.10.0-90.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-90.fc16 Package selinux-policy-3.10.0-90.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-90.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10203/selinux-policy-3.10.0-90.fc16 then log in and leave karma (feedback). selinux-policy-3.10.0-90.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 576539 [details] A policy te file that I created to permit systemd_login_t to signal/kill processes started by users. Description of problem: We're trying to use pam_systemd's kill-session-processes option to kill any processes started by a user when the user logs out. We created a custom policy (attached) to permit process type systemd_logind_t to signal and kill a variety of processes that our users are running, but attempts to allow systemd_logind_t to send sigkill to unconfined_t and unconfined_execmec_t are failing due to a constraint error when I run audit2allow / semodule -i. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-80.fc16.noarch selinux-policy-targeted-3.10.0-80.fc16.noarch systemd-37-17.fc16.x86_64 It seems that there may be two bugs here. First, that the default targeted policy does not allow systemd_logind_t to signal / kill most processes that can be started by a user, and second that there is a policy constraint which prevents me from creating a policy to do this myself.