help adding a type attribute to a domain

Maria Iano maria at iano.org
Fri Mar 11 16:51:02 UTC 2011 

On Mar 11, 2011, at 11:42 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/11/2011 10:57 AM, Maria Iano wrote:
>> I'm getting a denial that audit2why says is due to constraints.
>> Sesearch does show that the action has an allow rule.
>>
>> Here are the audit messages:
>>
>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
>> avc:  denied  { sigkill } for  pid=22927 comm="kill"
>> scontext=system_u:system_r:rgmanager_t:s0
>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>
>> host=eng-vocngcn03.eng.gci type=SYSCALL
>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62  
>> success=yes
>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>
> You have rgmanager sending a kill signal to a process running as
> unconfined_t
>
> I would bet this process is running with the wrong domain.  I don't
> think you want rgmanager_t sending kill signals to user processes.
>
> What process was it trying to kill?

I'm trying to track this down and this is what I think so far. I think  
I was wrong previously about an ssh session being involved. Instead  
here is what I think is happening.

We have Red Hat clustering running on this server. We send it a  
command to move one of the services to a different node. Our cluster  
configuration tells it to call a stop script written by the vendor  
when stopping the cluster service. That stop script is doing something  
that causes that AVC error.

We are actually expecting an update to the stop script from the vendor  
next week because it also causes segfaults and isn't working correctly  
(although selinux may be part of the reason for it failing).

It's also possible that it's the Red Hat clustering itself that  
triggers the AVC messages when it stops the service. But I would think  
we would have heard of that by now if it was the case.

Thanks,
Maria

More information about the selinux mailing list