On Mar 11, 2011, at 11:42 AM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/11/2011 10:57 AM, Maria Iano wrote: >> I'm getting a denial that audit2why says is due to constraints. >> Sesearch does show that the action has an allow rule. >> >> Here are the audit messages: >> >> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): >> avc: denied { sigkill } for pid=22927 comm="kill" >> scontext=system_u:system_r:rgmanager_t:s0 >> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process >> >> host=eng-vocngcn03.eng.gci type=SYSCALL >> msg=audit(1299844473.770:740848): arch=c000003e syscall=62 >> success=yes >> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" >> subj=system_u:system_r:rgmanager_t:s0 key=(null) >> > You have rgmanager sending a kill signal to a process running as > unconfined_t > > I would bet this process is running with the wrong domain. I don't > think you want rgmanager_t sending kill signals to user processes. > > What process was it trying to kill? I'm trying to track this down and this is what I think so far. I think I was wrong previously about an ssh session being involved. Instead here is what I think is happening. We have Red Hat clustering running on this server. We send it a command to move one of the services to a different node. Our cluster configuration tells it to call a stop script written by the vendor when stopping the cluster service. That stop script is doing something that causes that AVC error. We are actually expecting an update to the stop script from the vendor next week because it also causes segfaults and isn't working correctly (although selinux may be part of the reason for it failing). It's also possible that it's the Red Hat clustering itself that triggers the AVC messages when it stops the service. But I would think we would have heard of that by now if it was the case. Thanks, Maria -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux