Stephen Smalley wrote:
On Thu, 2004-04-15 at 17:29, Stephen Smalley wrote:
Yes, I think that this was wrong earlier in default_contexts and
subsequently changed. console login might still default to sysadm_r.
No, looks like the latest default_contexts also puts staff_r before sysadm_r for console logins, so those should also go to staff_r by default for non-root users authorized for both roles.
Note that you may need to restorecon /root/.default_contexts to get it
into the right type; otherwise, login/sshd/gdm can't read it.
I have added a /root/.default_contexts in policy*rpm.
This allows users logging into root to default to sysadm_r and everywhere else as staff_r/or user_r.
There is a comment in the /root/.default_contexts that you could change to allow sshd to automatically
pick sysadm_r when logging in via ssh. (This is a potential security whole).
Please check out these contexts to verify they make sence.
Todays policy has the changes.
Dan
