On Mar 11, 2011, at 11:42 AM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2011 10:57 AM, Maria Iano wrote:
I'm getting a denial that audit2why says is due to constraints. Sesearch does show that the action has an allow rule.
Here are the audit messages:
host=eng-vocngcn03.eng.gci type=AVC msg=audit(1299844473.770:740848): avc: denied { sigkill } for pid=22927 comm="kill" scontext=system_u:system_r:rgmanager_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
host=eng-vocngcn03.eng.gci type=SYSCALL msg=audit(1299844473.770:740848): arch=c000003e syscall=62 success=yes exit=0 a0=19ba a1=9 a2=9 a3=0 items=0 ppid=20173 pid=22927 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kill" exe="/bin/kill" subj=system_u:system_r:rgmanager_t:s0 key=(null)
You have rgmanager sending a kill signal to a process running as unconfined_t
I would bet this process is running with the wrong domain. I don't think you want rgmanager_t sending kill signals to user processes.
What process was it trying to kill?
The process running as rgmanager_t is calling a script written by our vendor which is a red hat start/stop type init.d script. This scripts calls another script which is full of kill commands. The script kills all processes owned by a user called ngio and all owned by a user called ccismgts. It looks up another process ID and kills it but that process is running as rgmanager_t. It also calls some other kill scripts. It also runs an "su -" command as the user ngio which calls a command WSMSrvStop that I can't find anywhere.
If I set the init.d type script to run in a certain domain will that fix it? Or is that most likely running in the rgmanager_t domain because it was called by the cluster management software. Is it the "su -" command perhaps that causes a process to run in unconfined_t? How would I set that to run in a certain domain?