First selinux problem, help!

Daniel J Walsh dwalsh at redhat.com
Wed Nov 8 21:17:21 UTC 2006 

Mark Haney wrote:
> Daniel J Walsh wrote:
>>> /usr/sbin/audit2why < audit.meh
>>> Nov  8 10:34:26 localhost kernel: audit(1163000066.441:216): avc:  
>>> denied  { sigkill } for  pid=28872 comm="bash" 
>>> scontext=user_u:system_r:unconfined_t:s0 
>>> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>>>        Was caused by:
>>>                Constraint violation.
>>>                Check policy/constraints.
>>>                Typically, you just need to add a type attribute to 
>>> the domain to satisfy the constraint.
>>>
>>>
>>> This is what I get when I piped it through audit2why.
>>>
>>>
>> This is a problem with MCS.  Basically you are running an unconfined 
>> domain at
>>
>> user_u:system_r:unconfined_t:s0  (s0 is sometimes referred to as 
>> SystemLow)
>>
>> The process you are trying to kill is running with a range.
>>
>> root:system_r:unconfined_t:s0-s0:c0.c255  (SystemLow-SystemHigh)
>>
>> In this version of the policy, there is a constraint that says the 
>> domain (scontext) sending the signal needs to "dominate"  the target 
>> domain (tcontext).
>>
>> Since the process does not you get the denial.
>>
>> Later versions of policy have fixed this problem
>>
>> You can also change your login to allow you to login in this range.
>>
>> semanage login -a -r SystemLow-SystemHigh dwalsh
>>
>> Or if you want all users to have it
>>
>> semanage login -m -r SystemLow-SystemHigh __default__
>>
> /usr/sbin/semanage: Login mapping for root is already defined
>
> This is what I get when I try to set this up for root.  I would have 
> assumed root had that authority anyway.  This still doesn't explain 
> why I can't kill this process.
>
> And when I checked with sestatus this is what I get:
>
> [root at blowingrock ~]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 20
> Policy from config file:        targeted
>

If you log in directly as root, you should get the correct context, if 
you log in as a normal user and then execute su or sudo you will not.

semanage login -l

Will list your login records

semanage login -m

will modify

semanage login -a

will add

If you do not have a login record for a particular user, they will 
default to __default__

More information about the fedora-list mailing list