[rsbac] Apache in jail, problem with send_signal
Colin Pitrat
colin.pitrat at bull.net
Wed Jun 28 15:19:27 CEST 2006
Hello,
I'd like to run apache in a jail. I managed to get rid of all the
NOT_GRANTED messages in log except this one :
rsbac_adf_request(): request SEND_SIGNAL, pid 4299, ppid 4297, prog_name
httpd, prog_file /usr/sbin/httpd, uid 0, remote ip 129.182.18.201,
target_type PROCESS, tid 4291, attr kernel_thread, value 0, result
NOT_GRANTED (Softmode) by JAIL
For now, I'm starting apache using :
rsbac_jail -vdDni -M rlimit apachectl startssl
I thought SEND_SIGNAL would be part of the IPC (enabled thanks to the -i
option), but it doesn't seem to be the case. I looked at the source code
of the rsbac version I use, and I saw that :
case R_SEND_SIGNAL:
case R_TRACE:
if (target == T_PROCESS) {
jail_id = jail_get_id_process(caller_pid);
if (!jail_id
|| (jail_id == jail_get_id(target, tid))
)
return GRANTED;
else
return NOT_GRANTED;
} else
return (DO_NOT_CARE);
So it seems that there is no option that can help me. Am I wrong ? Any
idea how I could make it work ?
Next step would be to chroot it, but I keep getting "Error: No such file
or directory". How could I know which files are used ? (I tried strace,
but as process is forking, it doesn't give me everything).
Regards,
Colin
More information about the rsbac
mailing list