Re: Text console not setting category

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
> Forrest Taylor wrote:
> > I have a user that has a category different than the default.  When I
> > log in to the GUI or via ssh, the category is set.  However, when I
> > login to the text console, the category is not set.  Is this a bug in
> > login or do I have unreasonable expectations?
> >
> > # semanage translation -l 
> > s0:c1     admin1
> >
> > # semanage login -l
> > student   user_u    admin1
> >
> > Through ssh/GUI:
> > $ id -Z
> > user_u:system_r:unconfined_t:admin1
> >
> > Through text console:
> > $ id -Z
> > system_u:system_r:unconfined_t:SystemLow-SystemHigh
> >
> > Now that I write this, I notice that the user and role have changed as
> > well.  I also notice this in the audit log:
> >
> > type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
> > uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> > msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
> > context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> > res=success)'
> >
> > This is running on RHEL 5.0.0 targeted policy.  Any clues?
> >
> > Thanks,
> >
> > Forrest
> >   
> > ------------------------------------------------------------------------
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> This looks like a bug.
> 
> 
> But a lot of fixes were added for 5.1 for MLS policy and this might have 
> been one of them.  Since this is pretty fundamental to mls.
> 
> A prerelease of the mls packages is available at
> 
> http://people.redhat.com/sgrubb/files/lspp/

Yes, that fixed the problem.  I pointed yum to Steve's repo and
installed all the updates.  Now I get this context:

user_u:system_r:unconfined_t::admin1

Interesting that it has :: before admin1.  I assume that this tells us
that admin1 is defined as both a security level and a category.
Although this doesn't hold true for root:

root:system_r:unconfined_t:-SystemHigh

Why does root have -SystemHigh (why the dash)?  Turning off mcstrans
shows that it is s0-s0:c0.c1023, so how is that translated to -
SystemHigh, and why doesn't it have :: ?

Thanks,

Forrest

Attachment: signature.asc
Description: This is a digitally signed message part

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux