Created attachment 576539 [details] A policy te file that I created to permit systemd_login_t to signal/kill processes started by users. Description of problem: We're trying to use pam_systemd's kill-session-processes option to kill any processes started by a user when the user logs out. We created a custom policy (attached) to permit process type systemd_logind_t to signal and kill a variety of processes that our users are running, but attempts to allow systemd_logind_t to send sigkill to unconfined_t and unconfined_execmec_t are failing due to a constraint error when I run audit2allow / semodule -i. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-80.fc16.noarch selinux-policy-targeted-3.10.0-80.fc16.noarch systemd-37-17.fc16.x86_64 It seems that there may be two bugs here. First, that the default targeted policy does not allow systemd_logind_t to signal / kill most processes that can be started by a user, and second that there is a policy constraint which prevents me from creating a policy to do this myself.
Incidentally, the reason why this policy includes permission for systemd_logind_t to kill processes of type sshd_t is that we're using the FreeNX server, and our use of pam_systemd appears to be causing the sshd_t child processes triggered by the ssh to authenticated-user@localhost performed by the nx user on an NX connection to be part of authenticated-user's process cgroup that systemd_login_t tries to kill. I'm not sure that's proper behavior there, but that's why those otherwise strange lines are in our systemd_killer.te file.
Created attachment 576542 [details] Limited te file that shows the constraint warnings This mypol.te file shows the constraint warnings that we get from running audit2allow on our most recent systemd_login_t -> unconfined_t, systemd_login_t -> unconfined_execmem_t AVC denials for sigkill.
Comment on attachment 576539 [details] A policy te file that I created to permit systemd_login_t to signal/kill processes started by users. Fixed MIME type on textual policy file.
Can you send us the auditlogs that you are being blocked by constraints.
I am adding userdom_signal_users(systemd_logind_t) userdom_signull_users(systemd_logind_t) userdom_kill_all_users(systemd_logind_t) application_signal(systemd_logind_t) application_signull(systemd_logind_t) application_sigkill(systemd_logind_t) to F17. Which should handle most of these.
Created attachment 576561 [details] AVC, SYSCALL entries for systemd-logind errors Sure, here you go.
Created attachment 576573 [details] Fixed version of our custom policy Okay, it looks like some of those macros aren't defined in F16, but from reading /usr/share/selinux/devel/include/system/application.if and /usr/share/selinux/devel/include/system/userdomain.if, it looks like this revised version of our policy does the right magic with attributes to do what we want. Thanks!
Yes I added the missing interfaces to F17, and I am sure Miroslav will back port them to F16.
Backported.
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
I'm still getting an AVC denied as followed: type=AVC msg=audit(1335216458.579:11168): avc: denied { sigkill } for pid=1489 comm="systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process after applying the update to selinux-policy-3.10.0-84.fc16. When I run audit2allow on this, I get #============= systemd_logind_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Constraint rule: allow systemd_logind_t unconfined_t:process sigkill;
Add a local policy containing mcs_killall(systemd_logind_t) Should fix that problem.
Okay, I've put a custom policy module in for that, and it seemed happy with that macro. If I see any more AVC problems I'll report back, but things look good for now.
I added the fix for F17 selinux-policy-3.10.0-119.fc17.noarch
Fixed in selinux-policy-3.10.0-90.fc16
selinux-policy-3.10.0-90.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-90.fc16
Package selinux-policy-3.10.0-90.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-90.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10203/selinux-policy-3.10.0-90.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-90.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.