Tom Diehl wrote:
On Mon, 2 Jan 2006, Daniel J Walsh wrote:
Tom Diehl wrote:
Hi all,
I have an EL4 box that every time I do su - vmail I get the following warnings
in the log:
Dec 31 12:25:22 roger su(pam_unix)[2055]: session opened for user vmail by root(uid=0)
Dec 31 12:25:22 roger su[2055]: Warning! Could not relabel /dev/pts/3 with user_u:object_r:initrc_devpts_t, not relabeling.Operation not permitted
(roger pts4) # ll -Z /dev/pts/3
crw------- root tty root:object_r:initrc_devpts_t /dev/pts/3
(roger pts4) #
Not sure why your tty is labeled initrc_devpts_t. You could try to
remove pam_selinux.so lines from your /etc/pam.d/su file and this should
work fine.
This is a fully updated stock EL4 installation with no mods to pam or selinux.
Is this some kind of bug or do the tty's need to be relabeled?? As far as I
can tell, everything is working normally except for the warnings. In addition
I looked a little harder and the warnings are showing up whenever I "su -" to
any user.
What if any downside is there to removing the pam_selinux.so lines as you
suggested above?
I would prefer to understand what is going on here. Unfortunately it is taking
me way longer than I would like, to understand selinux. :-(
The pam_selinux.so lines were originally put in for strict/mls policy.
They should have no effect for targeted policy, as you are seeing. The
problem is that they are trying to set the the file context on a
controlling terminal and policy is not allowing this. But this has no
effect since you end up logging in as unconfined anyways.
Regards,
Tom Diehl tdiehl@xxxxxxxxxxxx Spamtrap address mtd123@xxxxxxxxxxxx
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
