Cluster service failure when "rgmanager_t" type executed sigkill action on type unconfined_t in RHEL 6
Issue
-
If a filesystem resource in Cluster is configured with "force_unmount=1", fuser is used for sending sigkill to processes in order to force an unmount. SELinux is preventing this from happening. Logs shows the following:
Jan 25 10:36:16 test01 setroubleshoot: SELinux is preventing /sbin/fuser "sigkill" access . For complete SELinux messages. run sealert -l 5e12cb2b-c359-4411-9f06-bca39353cef7
-
Audit.log shows the following:
type=SYSCALL msg=audit(1295948173.767:7544): arch=c000003e syscall=62 success=no exit=-13 a0=25a a1=9 a2=8 a3=fffffffb items=0 ppid=4265 pid=4628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fuser" exe="/sbin/fuser" subj=system_u:system_r:rgmanager_t:s0 key=(null) type=AVC msg=audit(1295948173.768:7545): avc: denied { sigkill } for pid=4628 comm="fuser" scontext=system_u:system_r:rgmanager_t:s0 tcontext=unconfined_u:unconfined_r: unconfined_t:s0-s0:c0.c1023 tclass=process
Environment
- Red Hat Enterprise Linux 5, 6
- selinux-policy-3.7.19-54.el6_0.3.noarch
- selinux-policy-targeted-3.7.19-54.el6_0.3.noarch
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.