[rsbac] Apache in jail, problem with send_signal

Amon Ott ao at rsbac.org
Wed Jun 28 15:50:32 CEST 2006

On Mittwoch 28 Juni 2006 15:19, Colin Pitrat wrote:
> I'd like to run apache in a jail. I managed to get rid of all the 
> NOT_GRANTED messages in log except this one :
> rsbac_adf_request(): request SEND_SIGNAL, pid 4299, ppid 4297, 
> httpd, prog_file /usr/sbin/httpd, uid 0, remote ip, 
> target_type PROCESS, tid 4291, attr kernel_thread, value 0, result 
> NOT_GRANTED (Softmode) by JAIL
> For now, I'm starting apache using :
> rsbac_jail -vdDni -M rlimit apachectl startssl

If you start apachectl with rsbac_jail, and there is an apache 
running, the signal goes outside the jail, which is always forbidden.

As apachectl is a shell script, you should probably change apachectl 
and only use rsbac_jail for starting apache, not for anything else.
> I thought SEND_SIGNAL would be part of the IPC (enabled thanks to 
the -i 
> option), but it doesn't seem to be the case. I looked at the source 
> of the rsbac version I use, and I saw that :

No, sending signals is an access to the target process, no IPC target.
> Next step would be to chroot it, but I keep getting "Error: No such 
> or directory". How could I know which files are used ? (I tried 
> but as process is forking, it doesn't give me everything).

"strace -f" show subprocesses, too.

You might try the makejail tool to get the chroot env made. There is 
an example config for apache.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list