First selinux problem, help!
Mark Haney
mhaney at ercbroadband.org
Wed Nov 8 18:21:43 UTC 2006
Daniel J Walsh wrote:
>> /usr/sbin/audit2why < audit.meh
>> Nov 8 10:34:26 localhost kernel: audit(1163000066.441:216): avc:
>> denied { sigkill } for pid=28872 comm="bash"
>> scontext=user_u:system_r:unconfined_t:s0
>> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
>> Was caused by:
>> Constraint violation.
>> Check policy/constraints.
>> Typically, you just need to add a type attribute to
>> the domain to satisfy the constraint.
>>
>>
>> This is what I get when I piped it through audit2why.
>>
>>
> This is a problem with MCS. Basically you are running an unconfined
> domain at
>
> user_u:system_r:unconfined_t:s0 (s0 is sometimes referred to as
> SystemLow)
>
> The process you are trying to kill is running with a range.
>
> root:system_r:unconfined_t:s0-s0:c0.c255 (SystemLow-SystemHigh)
>
> In this version of the policy, there is a constraint that says the
> domain (scontext) sending the signal needs to "dominate" the target
> domain (tcontext).
>
> Since the process does not you get the denial.
>
> Later versions of policy have fixed this problem
>
> You can also change your login to allow you to login in this range.
>
> semanage login -a -r SystemLow-SystemHigh dwalsh
>
> Or if you want all users to have it
>
> semanage login -m -r SystemLow-SystemHigh __default__
>
/usr/sbin/semanage: Login mapping for root is already defined
This is what I get when I try to set this up for root. I would have
assumed root had that authority anyway. This still doesn't explain why
I can't kill this process.
And when I checked with sestatus this is what I get:
[root at blowingrock ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 20
Policy from config file: targeted
--
Ceterum censeo, Carthago delenda est.
Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
More information about the fedora-list
mailing list