Why isn't root allowed to kill X servers?
Göran Uddeborg
goeran at uddeborg.se
Mon Oct 16 09:33:51 UTC 2006
When an X server hang and blocked the console of a machine earlier
today I realised the policy (selinux-policy-targeted-2.3.7-2.fc5) does
not allow root to kill, as in SIGKILL, X servers.
time->Mon Oct 16 07:54:31 2006
type=SYSCALL msg=audit(1160978071.008:499): arch=c000003e syscall=62 success=yes exit=0 a0=8e4 a1=9 a2=9 a3=0 items=0 pid=3236 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="kill" exe="/bin/kill" subj=root:system_r:unconfined_t:s0
type=AVC msg=audit(1160978071.008:499): avc: denied { sigkill } for pid=3236 comm="kill" scontext=root:system_r:unconfined_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=process
I suppose this is by design, but I'm curious over the reasoning. It's
not much a root session cannot do in the targeted policy. Why is this
singled out as an exception?
(And is there something else I'm supposed to do with an X server that
hangs and don't respond to any other signal?)
More information about the fedora-selinux-list
mailing list