Bug 811334 - SELinux constraint is preventing systemd-logind from killing unconfined_t, unconfined_execmem_t
SELinux constraint is preventing systemd-logind from killing unconfined_t, un...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-10 14:08 EDT by Jonathan Abbey
Modified: 2012-07-25 23:53 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-25 23:53:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A policy te file that I created to permit systemd_login_t to signal/kill processes started by users. (1001 bytes, text/plain)
2012-04-10 14:08 EDT, Jonathan Abbey
no flags Details
Limited te file that shows the constraint warnings (588 bytes, text/plain)
2012-04-10 14:21 EDT, Jonathan Abbey
no flags Details
AVC, SYSCALL entries for systemd-logind errors (101.97 KB, text/plain)
2012-04-10 15:09 EDT, Jonathan Abbey
no flags Details
Fixed version of our custom policy (1.29 KB, text/plain)
2012-04-10 15:44 EDT, Jonathan Abbey
no flags Details

  None (edit)
Description Jonathan Abbey 2012-04-10 14:08:02 EDT
Created attachment 576539 [details]
A policy te file that I created to permit systemd_login_t to signal/kill processes started by users.

Description of problem:

We're trying to use pam_systemd's kill-session-processes option to kill any processes started by a user when the user logs out.

We created a custom policy (attached) to permit process type systemd_logind_t
to signal and kill a variety of processes that our users are running, but
attempts to allow systemd_logind_t to send sigkill to unconfined_t and
unconfined_execmec_t are failing due to a constraint error when I run
audit2allow / semodule -i.

Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-80.fc16.noarch
selinux-policy-targeted-3.10.0-80.fc16.noarch
systemd-37-17.fc16.x86_64

It seems that there may be two bugs here.  First, that the default targeted policy does not allow systemd_logind_t to signal / kill most processes that can be started by a user, and second that there is a policy constraint which prevents me from creating a policy to do this myself.
Comment 1 Jonathan Abbey 2012-04-10 14:17:33 EDT
Incidentally, the reason why this policy includes permission for systemd_logind_t to kill processes of type sshd_t is that we're using the FreeNX server, and our use of pam_systemd appears to be causing the sshd_t child processes triggered by the ssh to authenticated-user@localhost performed by the nx user on an NX connection to be part of authenticated-user's process cgroup that systemd_login_t tries to kill.

I'm not sure that's proper behavior there, but that's why those otherwise strange lines are in our systemd_killer.te file.
Comment 2 Jonathan Abbey 2012-04-10 14:21:06 EDT
Created attachment 576542 [details]
Limited te file that shows the constraint warnings

This mypol.te file shows the constraint warnings that we get from running audit2allow on our most recent systemd_login_t -> unconfined_t, systemd_login_t -> unconfined_execmem_t AVC denials for sigkill.
Comment 3 Jonathan Abbey 2012-04-10 14:22:08 EDT
Comment on attachment 576539 [details]
A policy te file that I created to permit systemd_login_t to signal/kill processes started by users.

Fixed MIME type on textual policy file.
Comment 4 Daniel Walsh 2012-04-10 14:38:57 EDT
Can  you send us the auditlogs that you are being blocked by constraints.
Comment 5 Daniel Walsh 2012-04-10 14:48:07 EDT
I am adding 

userdom_signal_users(systemd_logind_t)
userdom_signull_users(systemd_logind_t)
userdom_kill_all_users(systemd_logind_t)
application_signal(systemd_logind_t)
application_signull(systemd_logind_t)
application_sigkill(systemd_logind_t)

to F17.

Which should handle most of these.
Comment 6 Jonathan Abbey 2012-04-10 15:09:12 EDT
Created attachment 576561 [details]
AVC, SYSCALL entries for systemd-logind errors

Sure, here you go.
Comment 7 Jonathan Abbey 2012-04-10 15:44:09 EDT
Created attachment 576573 [details]
Fixed version of our custom policy

Okay, it looks like some of those macros aren't defined in F16, but from reading /usr/share/selinux/devel/include/system/application.if and /usr/share/selinux/devel/include/system/userdomain.if, it looks like this revised version of our policy does the right magic with attributes to do what we want.

Thanks!
Comment 8 Daniel Walsh 2012-04-10 16:11:53 EDT
Yes I added the missing interfaces to F17, and I am sure Miroslav will back port them to F16.
Comment 9 Miroslav Grepl 2012-04-11 03:37:21 EDT
Backported.
Comment 10 Fedora Update System 2012-04-18 08:56:08 EDT
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 11 Fedora Update System 2012-04-21 23:38:31 EDT
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Jonathan Abbey 2012-04-24 09:46:10 EDT
I'm still getting an AVC denied as followed:

type=AVC msg=audit(1335216458.579:11168): avc:  denied  { sigkill } for  pid=1489 comm="systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

after applying the update to selinux-policy-3.10.0-84.fc16.

When I run audit2allow on this, I get

#============= systemd_logind_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Constraint rule: 
allow systemd_logind_t unconfined_t:process sigkill;
Comment 13 Daniel Walsh 2012-04-24 11:37:42 EDT
Add a local policy containing 

mcs_killall(systemd_logind_t)

Should fix that problem.
Comment 14 Jonathan Abbey 2012-04-24 13:37:19 EDT
Okay, I've put a custom policy module in for that, and it seemed happy with that macro.

If I see any more AVC problems I'll report back, but things look good for now.
Comment 15 Daniel Walsh 2012-04-24 14:17:36 EDT
I added the fix for F17 selinux-policy-3.10.0-119.fc17.noarch
Comment 16 Miroslav Grepl 2012-06-22 10:26:54 EDT
Fixed in selinux-policy-3.10.0-90.fc16
Comment 17 Fedora Update System 2012-07-02 04:47:43 EDT
selinux-policy-3.10.0-90.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-90.fc16
Comment 18 Fedora Update System 2012-07-03 11:49:37 EDT
Package selinux-policy-3.10.0-90.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-90.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10203/selinux-policy-3.10.0-90.fc16
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2012-07-25 23:53:09 EDT
selinux-policy-3.10.0-90.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.