First selinux problem, help!
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 8 21:17:21 UTC 2006
Mark Haney wrote:
> Daniel J Walsh wrote:
>>> /usr/sbin/audit2why < audit.meh
>>> Nov 8 10:34:26 localhost kernel: audit(1163000066.441:216): avc:
>>> denied { sigkill } for pid=28872 comm="bash"
>>> scontext=user_u:system_r:unconfined_t:s0
>>> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>>> Was caused by:
>>> Constraint violation.
>>> Check policy/constraints.
>>> Typically, you just need to add a type attribute to
>>> the domain to satisfy the constraint.
>>>
>>>
>>> This is what I get when I piped it through audit2why.
>>>
>>>
>> This is a problem with MCS. Basically you are running an unconfined
>> domain at
>>
>> user_u:system_r:unconfined_t:s0 (s0 is sometimes referred to as
>> SystemLow)
>>
>> The process you are trying to kill is running with a range.
>>
>> root:system_r:unconfined_t:s0-s0:c0.c255 (SystemLow-SystemHigh)
>>
>> In this version of the policy, there is a constraint that says the
>> domain (scontext) sending the signal needs to "dominate" the target
>> domain (tcontext).
>>
>> Since the process does not you get the denial.
>>
>> Later versions of policy have fixed this problem
>>
>> You can also change your login to allow you to login in this range.
>>
>> semanage login -a -r SystemLow-SystemHigh dwalsh
>>
>> Or if you want all users to have it
>>
>> semanage login -m -r SystemLow-SystemHigh __default__
>>
> /usr/sbin/semanage: Login mapping for root is already defined
>
> This is what I get when I try to set this up for root. I would have
> assumed root had that authority anyway. This still doesn't explain
> why I can't kill this process.
>
> And when I checked with sestatus this is what I get:
>
> [root at blowingrock ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 20
> Policy from config file: targeted
>
If you log in directly as root, you should get the correct context, if
you log in as a normal user and then execute su or sudo you will not.
semanage login -l
Will list your login records
semanage login -m
will modify
semanage login -a
will add
If you do not have a login record for a particular user, they will
default to __default__
More information about the fedora-list
mailing list