Cluster service failure when "rgmanager_t" type executed sigkill action on type unconfined_t in RHEL 6

Solution Verified - Updated -

Issue

  • If a filesystem resource in Cluster is configured with "force_unmount=1", fuser is used for sending sigkill to processes in order to force an unmount. SELinux is preventing this from happening. Logs shows the following:

      Jan 25 10:36:16 test01 setroubleshoot: SELinux is preventing /sbin/fuser "sigkill" access . For complete SELinux messages. run sealert -l 5e12cb2b-c359-4411-9f06-bca39353cef7

  •   Audit.log shows the following:

     type=SYSCALL msg=audit(1295948173.767:7544): arch=c000003e syscall=62 success=no exit=-13 a0=25a a1=9 a2=8 a3=fffffffb items=0 ppid=4265 pid=4628 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fuser" exe="/sbin/fuser" subj=system_u:system_r:rgmanager_t:s0 key=(null)
type=AVC msg=audit(1295948173.768:7545): avc:  denied  { sigkill } for pid=4628 comm="fuser" scontext=system_u:system_r:rgmanager_t:s0 tcontext=unconfined_u:unconfined_r:
unconfined_t:s0-s0:c0.c1023 tclass=process

Environment

  • Red Hat Enterprise Linux 5, 6
  • selinux-policy-3.7.19-54.el6_0.3.noarch
  • selinux-policy-targeted-3.7.19-54.el6_0.3.noarch

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content