Cluster service failure when "rgmanager_t" type executed sigkill action on type unconfined_t in RHEL 6

Solution Verified - Updated -

Issue

  • If a filesystem resource in Cluster is configured with "force_unmount=1", fuser is used for sending sigkill to processes in order to force an unmount. SELinux is preventing this from happening. Logs shows the following:

      Jan 25 10:36:16 test01 setroubleshoot: SELinux is preventing /sbin/fuser "sigkill" access . For complete SELinux messages. run sealert -l 5e12cb2b-c359-4411-9f06-bca39353cef7
    
  •   Audit.log shows the following:

     type=SYSCALL msg=audit(1295948173.767:7544): arch=c000003e syscall=62 success=no exit=-13 a0=25a a1=9 a2=8 a3=fffffffb items=0 ppid=4265 pid=4628 auid=4294967295
    uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fuser" exe="/sbin/fuser" subj=system_u:system_r:rgmanager_t:s0 key=(null)
    type=AVC msg=audit(1295948173.768:7545): avc:  denied  { sigkill } for pid=4628 comm="fuser" scontext=system_u:system_r:rgmanager_t:s0 tcontext=unconfined_u:unconfined_r:
    unconfined_t:s0-s0:c0.c1023 tclass=process
    

Environment

  • Red Hat Enterprise Linux 5, 6
  • selinux-policy-3.7.19-54.el6_0.3.noarch
  • selinux-policy-targeted-3.7.19-54.el6_0.3.noarch

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In