Daniel J Walsh wrote:
/usr/sbin/audit2why < audit.meh
Nov 8 10:34:26 localhost kernel: audit(1163000066.441:216): avc:
denied { sigkill } for pid=28872 comm="bash"
scontext=user_u:system_r:unconfined_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=process
Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to
the domain to satisfy the constraint.
This is what I get when I piped it through audit2why.
This is a problem with MCS. Basically you are running an unconfined
domain at
user_u:system_r:unconfined_t:s0 (s0 is sometimes referred to as
SystemLow)
The process you are trying to kill is running with a range.
root:system_r:unconfined_t:s0-s0:c0.c255 (SystemLow-SystemHigh)
In this version of the policy, there is a constraint that says the
domain (scontext) sending the signal needs to "dominate" the target
domain (tcontext).
Since the process does not you get the denial.
Later versions of policy have fixed this problem
You can also change your login to allow you to login in this range.
semanage login -a -r SystemLow-SystemHigh dwalsh
Or if you want all users to have it
semanage login -m -r SystemLow-SystemHigh __default__
/usr/sbin/semanage: Login mapping for root is already defined
This is what I get when I try to set this up for root. I would have
assumed root had that authority anyway. This still doesn't explain why
I can't kill this process.
And when I checked with sestatus this is what I get:
[root@blowingrock ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 20
Policy from config file: targeted
--
Ceterum censeo, Carthago delenda est.
Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415