[refpolicy] initrc_t access to sshd /proc to adjust OOM killer
Hi,
the startup script of Open SSH server on the Debian Sid adjusts the OOM
killer to not kill sshd in the condition of OOM. It simply does
    printf '%s' "$SSHD_OOM_ADJUST" >"/proc/$PID/oom_adj" || true
BTW: I am not certain if this do exactly what was intended, because this
parameter is inherited by all child processes, as one can see using
attached simple script.
Nevertheless I don't know how to enable such write under SE Linux. It
triggers:
[   66.417499] type=1400 audit(1209737438.955:6): avc:  denied  { write
} for  pid=1600 comm="S16ssh" name="oom_adj" dev=proc ino=70952 s
context=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=file
I wrote attached patch, but the denial still appears.
sid:~# sesearch --allow -s initrc_t  -t sshd_t -c file 
WARNING: This policy contained disabled aliases; they have been removed.
Found 3 semantic av rules:
   allow @ttr1634 @ttr2356 : file { ioctl read getattr lock }; 
   allow initrc_t sshd_t : file { ioctl write getattr lock append }; 
   allow initrc_t @ttr2356 : file { ioctl read getattr lock }; 
sid:~# sestatus   
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 22
Policy from config file:        refpolicy
sid:~# uname -a
Linux sid 2.6.25-1-686 #1 SMP Mon Apr 28 13:54:58 UTC 2008 i686 GNU/Linux
What am I doing wrong please?
Best Regards
-- 
Zito
#!/bin/bash
ps axf|perl -lpe '
    my $adj = "";
    if (m/^\s*(\d+)/) {
	if ( open(my $fh, "<", "/proc/$1/oom_adj") ) {
	    $adj = <$fh>;
	    chomp $adj;
	    close($fh);
	}
    } else {
	$adj = "OMA";
    }
    $_ = sprintf("%3s %s", $adj, $_);
'
---
 policy/modules/services/ssh.if |   19 +++++++++++++++++++
 policy/modules/system/init.te  |    2 ++
 2 files changed, 21 insertions(+)
Index: refpolicy-svn/policy/modules/services/ssh.if
===================================================================
--- refpolicy-svn.orig/policy/modules/services/ssh.if	2008-05-02 14:36:38.000000000 +0200
+++ refpolicy-svn/policy/modules/services/ssh.if	2008-05-02 14:37:51.000000000 +0200
@@ -626,6 +626,25 @@
 
 ########################################
 ## <summary>
+##	Allow to write to files of ssh server under /proc
+##	primarily to adjust the OOM killer.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow access.
+##	</summary>
+## </param>
+#
+interface(`ssh_proc_write',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:file write_file_perms;
+')
+
+########################################
+## <summary>
 ##	Connect to SSH daemons over TCP sockets.  (Deprecated)
 ## </summary>
 ## <param name="domain">
Index: refpolicy-svn/policy/modules/system/init.te
===================================================================
--- refpolicy-svn.orig/policy/modules/system/init.te	2008-05-02 14:36:43.000000000 +0200
+++ refpolicy-svn/policy/modules/system/init.te	2008-05-02 14:36:43.000000000 +0200
@@ -743,6 +743,8 @@
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
+# Debian startup script adjusts OOM killer to not kill sshd.
+	ssh_proc_write(initrc_t)
 ')
 
 optional_policy(`
Reply to: