On Mar 11, 2011, at 11:48 AM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/11/2011 05:42 PM, Daniel J Walsh wrote:
>> On 03/11/2011 10:57 AM, Maria Iano wrote:
>>> I'm getting a denial that audit2why says is due to constraints.
>>> Sesearch does show that the action has an allow rule.
>>
>>> Here are the audit messages:
>>
>>> host=eng-vocngcn03.eng.gci type=AVC
>>> msg=audit(1299844473.770:740848):
>>> avc: denied { sigkill } for pid=22927 comm="kill"
>>> scontext=system_u:system_r:rgmanager_t:s0
>>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
>>> tclass=process
>>
>>> host=eng-vocngcn03.eng.gci type=SYSCALL
>>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62
>>> success=yes
>>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>
>> You have rgmanager sending a kill signal to a process running as
>> unconfined_t
>
> There is no proof that its rgmanager doing that imho. Since
> rgmanager_t
> is an unconfined_domain it could be any generic application started
> by a
> process running in the rgmanager_t domain (eventually started by
> rgmanager)
>
We have red hat clustering running on the server, and the clustering
processes are running as rgmanager_t. When we move a service off the
server to another node, the clustering software calls a vendor script
like the red hat init.d scripts, with the stop command. That vendor
script calls another script which is a stop script. That stop scripts
if full of kill commands - that match all running processes against
various expressions and kill them.
We do have a custom policy with a bunch of allow rules but none of
them allow a domain transition.
Thanks,
Maria
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
