[rsbac] Apache in jail, problem with send_signal

Colin Pitrat colin.pitrat at bull.net
Wed Jun 28 15:19:27 CEST 2006

I'd like to run apache in a jail. I managed to get rid of all the 
NOT_GRANTED messages in log except this one :

rsbac_adf_request(): request SEND_SIGNAL, pid 4299, ppid 4297, prog_name 
httpd, prog_file /usr/sbin/httpd, uid 0, remote ip, 
target_type PROCESS, tid 4291, attr kernel_thread, value 0, result 
NOT_GRANTED (Softmode) by JAIL

For now, I'm starting apache using :
rsbac_jail -vdDni -M rlimit apachectl startssl

I thought SEND_SIGNAL would be part of the IPC (enabled thanks to the -i 
option), but it doesn't seem to be the case. I looked at the source code 
of the rsbac version I use, and I saw that :

  case R_TRACE:
    if (target == T_PROCESS) {
      jail_id = jail_get_id_process(caller_pid);
      if (!jail_id
           || (jail_id == jail_get_id(target, tid))
             return GRANTED;
             return NOT_GRANTED;
           } else
           return (DO_NOT_CARE);

So it seems that there is no option that can help me. Am I wrong ? Any 
idea how I could make it work ?

Next step would be to chroot it, but I keep getting "Error: No such file 
or directory". How could I know which files are used ? (I tried strace, 
but as process is forking, it doesn't give me everything).


More information about the rsbac mailing list