Created attachment 538886 [details] emerge information There seems to be an issue when root runs `su' with SELinux enabled. There does not seem to be a problem when other users run `su'. The following occures: -- BEGIN ERROR -- [root@domain][~]# su - rtorrent su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed. Segmentation fault [root@domain][~]# -- END ERROR -- I tried allowing the only two denials that I see related to `su' in dmesg: -- BEGIN TEXT -- [root@domain][/etc/selinux/mcs/policy]# audit2allow -M tmp [542047.056105] audit: type=1400 audit(1531099090.236:1141): avc: denied { signal } for pid=1354 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0 [542047.052500] audit: type=1400 audit(1531099090.233:1140): avc: denied { create } for pid=1354 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=netlink_selinux_socket permissive=0 ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i tmp.pp [root@domain][/etc/selinux/mcs/policy]# semodule -i tmp.pp [root@domain][/etc/selinux/mcs/policy]# su - rtorrent su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed. Aborted [root@domain][/etc/selinux/mcs/policy]# semodule -r tmp libsemanage.semanage_direct_remove_key: Removing last tmp module (no other tmp module exists at another priority). -- END TEXT -- And then removed the module as it did not seem to have any benefit. dmesg shows this: '[543295.214129] traps: su[3024] general protection ip:7f11e4cfca0b sp:7ffe5c06fde0 error:0 in libc-2.26.so[7f11e4cdc000+1c7000]' I tried to re-emerge 'sys-apps/shadow-4.6::gentoo' with no success. I am not able to use `strace` so I can not provide that information: -- BEGIN STRACE -- [root@domain][/etc/selinux/mcs/policy]# strace su - rtorrent execve("/bin/su", ["su", "-", "rtorrent"], 0x7ffe77076480 /* 26 vars */) = -1 EPERM (Operation not permitted) fstat(2, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0 write(2, "strace: exec: Operation not perm"..., 38strace: exec: Operation not permitted ) = 38 getpid() = 3163 exit_group(1) = ? +++ exited with 1 +++ [root@ldomain][/etc/selinux/mcs/policy]# -- END STRACE -- The VPS seems fine other than this, which has been an issue for a few months since I put a SELinux policy in place. Please let me know what more information that I can provide. This is an 'mcs' policy.
Fixed in 2.20180701-r1