Description of problem: If the CIM Server is built with PEGASUS_ENABLE_PRIVILEGE_SEPARATION enabled, the cimserver process is split into two processes, cimserver and cimservermain. cimservermain is the larger of the two processes and runs in a non-privileged context. The cimserver process runs as a privileged users. When "/etc/init.d/tog-pegasus stop" is called a SIGTERM is sent to the cimserver process. The cimserver process is then responsible for killing the cimservermain process. If SELinux is enabled, this operation fails with the following error. Nov 19 09:28:23 bwindi setroubleshoot: SELinux is preventing /usr/sbin/cimserver (pegasus_t) "kill" access to <Unknown> (pegasus_t). For complete SELinux messages. run sealert -l 40aba5be-b6a3-4a61-8837-3c1b26836530 [root@bwindi log]# sealert -l 40aba5be-b6a3-4a61-8837-3c1b26836530 Summary SELinux is preventing /usr/sbin/cimserver (pegasus_t) "kill" access to <Unknown> (pegasus_t). Detailed Description SELinux denied access requested by /usr/sbin/cimserver. It is not expected that this access is required by /usr/sbin/cimserver and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "pegasus_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P pegasus_disable_trans=1." The following command will allow this access: setsebool -P pegasus_disable_trans=1 Additional Information Source Context root:system_r:pegasus_t Target Context root:system_r:pegasus_t Target Objects None [ capability ] Affected RPM Packages tog-pegasus-2.9.0-1.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name bwindi.cup.hp.com Platform Linux bwindi.cup.hp.com 2.6.18-65.el5.bz248052 #1 SMP Wed Jan 9 16:05:55 EST 2008 x86_64 x86_64 Alert Count 90 Line Numbers Raw Audit Messages avc: denied { kill } for comm="cimserver" egid=0 euid=0 exe="/usr/sbin/cimserver" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=21675 scontext=root:system_r:pegasus_t:s0 sgid=0 subj=root:system_r:pegasus_t:s0 suid=0 tclass=capability tcontext=root:system_r:pegasus_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Because PEGASUS_ENABLE_PRIVILEGE_SEPARATION is disabled in tog-pegasus shipped in RHEL, we won't change the default policy to give cimserver kill access. Please consider building own SELinux module: http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/ Put this into new module to give cimserver desired access: #============= pegasus_t ============== allow pegasus_t self:capability kill;
Thanks for the pointer. Using our own SELinux module would definitely make support for SELinux easier. Thanks, Denise