Re: First selinux problem, help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mark Haney wrote:

Daniel J Walsh wrote:

/usr/sbin/audit2why < audit.meh
Nov 8 10:34:26 localhost kernel: audit(1163000066.441:216): avc: denied { sigkill } for pid=28872 comm="bash" scontext=user_u:system_r:unconfined_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process 
       Was caused by:
               Constraint violation.
               Check policy/constraints.
Typically, you just need to add a type attribute to the domain to satisfy the constraint. 


This is what I get when I piped it through audit2why.
This is a problem with MCS. Basically you are running an unconfined domain at
user_u:system_r:unconfined_t:s0 (s0 is sometimes referred to as SystemLow) 

The process you are trying to kill is running with a range.

root:system_r:unconfined_t:s0-s0:c0.c255  (SystemLow-SystemHigh)
In this version of the policy, there is a constraint that says the domain (scontext) sending the signal needs to "dominate" the target domain (tcontext). 

Since the process does not you get the denial.

Later versions of policy have fixed this problem

You can also change your login to allow you to login in this range.

semanage login -a -r SystemLow-SystemHigh dwalsh

Or if you want all users to have it

semanage login -m -r SystemLow-SystemHigh __default__


/usr/sbin/semanage: Login mapping for root is already defined
This is what I get when I try to set this up for root. I would have assumed root had that authority anyway. This still doesn't explain why I can't kill this process. 

And when I checked with sestatus this is what I get:

[root@blowingrock ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted
If you log in directly as root, you should get the correct context, if you log in as a normal user and then execute su or sudo you will not. 

semanage login -l

Will list your login records

semanage login -m

will modify

semanage login -a

will add
If you do not have a login record for a particular user, they will default to __default__ 


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux