help adding a type attribute to a domain

Maria Iano maria at iano.org
Fri Mar 11 17:18:17 UTC 2011 

On Mar 11, 2011, at 11:42 AM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/11/2011 10:57 AM, Maria Iano wrote:
>> I'm getting a denial that audit2why says is due to constraints.
>> Sesearch does show that the action has an allow rule.
>>
>> Here are the audit messages:
>>
>> host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848):
>> avc:  denied  { sigkill } for  pid=22927 comm="kill"
>> scontext=system_u:system_r:rgmanager_t:s0
>> tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
>>
>> host=eng-vocngcn03.eng.gci type=SYSCALL
>> msg=audit(1299844473.770:740848): arch=c000003e syscall=62  
>> success=yes
>> exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927
>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill"
>> subj=system_u:system_r:rgmanager_t:s0 key=(null)
>>
> You have rgmanager sending a kill signal to a process running as
> unconfined_t
>
> I would bet this process is running with the wrong domain.  I don't
> think you want rgmanager_t sending kill signals to user processes.
>
> What process was it trying to kill?

The process running as rgmanager_t is calling a script written by our  
vendor which is a red hat start/stop type init.d script. This scripts  
calls another script which is full of kill commands. The script kills  
all processes owned by a user called ngio and all owned by a user  
called ccismgts. It looks up another process ID and kills it but that  
process is running as rgmanager_t. It also calls some other kill  
scripts. It also runs an "su -" command as the user ngio which calls a  
command WSMSrvStop that I can't find anywhere.

If I set the init.d type script to run in a certain domain will that  
fix it? Or is that most likely running in the rgmanager_t domain  
because it was called by the cluster management software. Is it the  
"su -" command perhaps that causes a process to run in unconfined_t?  
How would I set that to run in a certain domain?

More information about the selinux mailing list