help adding a type attribute to a domain
Maria Iano
maria at iano.org
Fri Mar 11 17:18:17 UTC 2011
On Mar 11, 2011, at 11:42 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/11/2011 10:57 AM, Maria Iano wrote:
>> I'm getting a denial that audit2why says is due to constraints.
>> Sesearch does show that the action has an allow rule.
>>
>> Here are the audit messages:
>>
>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
>> avc: denied { sigkill } for pid=22927 comm="kill"
>> scontext=system_u:system_r:rgmanager_t:s0
>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>
>> host=eng-vocngcn03.eng.gci type=SYSCALL
>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62
>> success=yes
>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>
> You have rgmanager sending a kill signal to a process running as
> unconfined_t
>
> I would bet this process is running with the wrong domain. I don't
> think you want rgmanager_t sending kill signals to user processes.
>
> What process was it trying to kill?
The process running as rgmanager_t is calling a script written by our
vendor which is a red hat start/stop type init.d script. This scripts
calls another script which is full of kill commands. The script kills
all processes owned by a user called ngio and all owned by a user
called ccismgts. It looks up another process ID and kills it but that
process is running as rgmanager_t. It also calls some other kill
scripts. It also runs an "su -" command as the user ngio which calls a
command WSMSrvStop that I can't find anywhere.
If I set the init.d type script to run in a certain domain will that
fix it? Or is that most likely running in the rgmanager_t domain
because it was called by the cluster management software. Is it the
"su -" command perhaps that causes a process to run in unconfined_t?
How would I set that to run in a certain domain?
More information about the selinux
mailing list