[rsbac] Apache in jail, problem with send_signal
Amon Ott
ao at rsbac.org
Wed Jun 28 15:50:32 CEST 2006
On Mittwoch 28 Juni 2006 15:19, Colin Pitrat wrote:
> I'd like to run apache in a jail. I managed to get rid of all the
> NOT_GRANTED messages in log except this one :
>
> rsbac_adf_request(): request SEND_SIGNAL, pid 4299, ppid 4297,
prog_name
> httpd, prog_file /usr/sbin/httpd, uid 0, remote ip 129.182.18.201,
> target_type PROCESS, tid 4291, attr kernel_thread, value 0, result
> NOT_GRANTED (Softmode) by JAIL
>
> For now, I'm starting apache using :
> rsbac_jail -vdDni -M rlimit apachectl startssl
If you start apachectl with rsbac_jail, and there is an apache
running, the signal goes outside the jail, which is always forbidden.
As apachectl is a shell script, you should probably change apachectl
and only use rsbac_jail for starting apache, not for anything else.
> I thought SEND_SIGNAL would be part of the IPC (enabled thanks to
the -i
> option), but it doesn't seem to be the case. I looked at the source
code
> of the rsbac version I use, and I saw that :
No, sending signals is an access to the target process, no IPC target.
> Next step would be to chroot it, but I keep getting "Error: No such
file
> or directory". How could I know which files are used ? (I tried
strace,
> but as process is forking, it doesn't give me everything).
"strace -f" show subprocesses, too.
You might try the makejail tool to get the chroot env made. There is
an example config for apache.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list