Cluster service failure when "rgmanager_t" type executed sigkill action on type unconfined_t in RHEL 6
Issue
-
If a filesystem resource in Cluster is configured with "force_unmount=1", fuser is used for sending sigkill to processes in order to force an unmount. SELinux is preventing this from happening. Logs shows the following:
Jan 25 10:36:16 test01 setroubleshoot: SELinux is preventing /sbin/fuser "sigkill" access . For complete SELinux messages. run sealert -l 5e12cb2b-c359-4411-9f06-bca39353cef7 -
Audit.log shows the following:
type=SYSCALL msg=audit(1295948173.767:7544): arch=c000003e syscall=62 success=no exit=-13 a0=25a a1=9 a2=8 a3=fffffffb items=0 ppid=4265 pid=4628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fuser" exe="/sbin/fuser" subj=system_u:system_r:rgmanager_t:s0 key=(null) type=AVC msg=audit(1295948173.768:7545): avc: denied { sigkill } for pid=4628 comm="fuser" scontext=system_u:system_r:rgmanager_t:s0 tcontext=unconfined_u:unconfined_r: unconfined_t:s0-s0:c0.c1023 tclass=process
Environment
- Red Hat Enterprise Linux 5, 6
- selinux-policy-3.7.19-54.el6_0.3.noarch
- selinux-policy-targeted-3.7.19-54.el6_0.3.noarch
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
