I've been working on a fedora livecd that runs the mls policy. When I
login as root via ssh
[root@livecd ~]# id -Z
root:staff_r:staff_t:SystemLow-SystemHigh
but if I login via the console
[root@livecd ~]# id -Z
system_u:system_r:local_login_t:SystemLow-SystemHigh
I'm not transitioning into the correct role/type on a console login.
Any pointers on where to look/what I forgot to create would be
appreciated.
joe
ls -Z `tty`
crw--w---- root tty system_u:object_r:tty_device_t:SystemLow /dev/tty4
Audit from a login local login:
type=USER_AUTH msg=audit(1172236367.222:134): user pid=2395 uid=0
auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='PAM: authentication acct=root : exe="/bin/login" (hostname=?,
addr=?, terminal=tty1 res=success)'
type=USER_ACCT msg=audit(1172236367.222:135): user pid=2395 uid=0
auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='PAM: accounting acct=root : exe="/bin/login" (hostname=?,
addr=?, terminal=tty1 res=success)'
type=LOGIN msg=audit(1172236367.228:136): login pid=2395 uid=0 old
auid=4294967295 new auid=0
type=USER_ROLE_CHANGE msg=audit(1172236367.246:137): user pid=2395
uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='pam: default-context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
selected-context=?: exe="/bin/login" (hostname=?, addr=?,
terminal=tty1 res=success)'
type=USER_START msg=audit(1172236367.246:138): user pid=2395 uid=0
auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM:
session open acct=root : exe="/bin/login" (hostname=?, addr=?,
terminal=tty1 res=success)'
type=USER_LOGIN msg=audit(1172236367.248:140): user pid=2395 uid=0
auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023
msg='uid=0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
res=success)'type=AVC msg=audit(1172236367.248:141): avc: denied
{ execute_no_trans } for pid=2401 comm="login" name="bash" dev=dm-0
ino=32771 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shell_exec_t:s0 tclass=filetype=SYSCALL
msg=audit(1172236367.248:141): arch=40000003 syscall=11 success=yes
exit=0 a0=91d56d0 a1=bfde41c0 a2=91d7978 a3=804d2e8 items=0 ppid=2395
pid=2401 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty1 comm="bash" exe="/bin/bash"
subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1172236367.248:141): path="/bin/bash"
type=AVC msg=audit(1172236367.301:142): avc: denied { execute }
for pid=2411 comm="bash" name="hostname" dev=dm-0 ino=32832
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1172236367.301:142): avc: denied
{ execute_no_trans } for pid=2411 comm="bash" name="hostname"
dev=dm-0 ino=32832 scontext=system_u:system_r:local_login_t:s0-
s15:c0.c1023 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: mls
Process contexts:
Current context:
system_u:system_r:local_login_t:SystemLow-SystemHigh
Init context: system_u:system_r:init_t:SystemLow-
SystemHigh
/sbin/mingetty system_u:system_r:getty_t:SystemLow-
SystemHigh
/usr/sbin/sshd system_u:system_r:sshd_t:SystemLow-
SystemHigh
File contexts:
Controlling term: system_u:object_r:tty_device_t:SystemLow
/etc/passwd system_u:object_r:etc_t:SystemLow
/etc/shadow system_u:object_r:shadow_t:SystemLow
/bin/bash system_u:object_r:shell_exec_t:SystemLow
/bin/login system_u:object_r:login_exec_t:SystemLow
/bin/sh system_u:object_r:bin_t:SystemLow ->
system_u:object_r:shell_exec_t:SystemLow
/sbin/agetty system_u:object_r:getty_exec_t:SystemLow
/sbin/init system_u:object_r:init_exec_t:SystemLow
/sbin/mingetty system_u:object_r:getty_exec_t:SystemLow
/usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow
/lib/libc.so.6 system_u:object_r:lib_t:SystemLow ->
system_u:object_r:shlib_t:SystemLow
/lib/ld-linux.so.2 system_u:object_r:lib_t:SystemLow ->
system_u:object_r:ld_so_t:SystemLow
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
