First selinux problem, help!
Paul Howarth
paul at city-fan.org
Wed Nov 8 17:00:02 UTC 2006
Mark Haney wrote:
> M A Young wrote:
>> On Wed, 8 Nov 2006, Paul Howarth wrote:
>>
>>> Mark Haney wrote:
>>>
>>>> Nov 8 10:34:26 localhost kernel: audit(1163000066.441:216): avc:
>>>> denied { sigkill } for pid=28872 comm="bash"
>>>> scontext=user_u:system_r:unconfined_t:s0
>>>> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>>>>
>>>> What I'm trying to kill is a perl script (rsnapshot).
>>>>
>>> Well that's a curious one. It would be allowed by policy here. Try
>>> piping that error log entry through /usr/sbin/audit2why at your end.
>>>
>>
>> You are trying to send the signal as root (ie. it is worth double
>> checking
>> you aren't doing something that ordinary linux would block)?
>> It may also be worth checking what selinux type you are running - for
>> most
>> circumstances "targeted" is the right choice - the other options "strict"
>> and "mls" are probably too paranoid for most purposes.
>>
>> Michael Young
>>
>>
> Yes, I'm trying to send the signal as root. The process itself is owned
> and run by root, so I don't think that should be a problem. As for
> which type of selinux I'm running, how do I check that? I'm pretty sure
> I'm using targeted, but can't say for certain.
The "sestatus" command will tell you which policy you're using.
Paul.
More information about the fedora-list
mailing list