Re: Text console not setting category

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-07-20 at 10:07 -0400, Daniel J Walsh wrote:
> Forrest Taylor wrote:
> > On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote:
> >   
> >> Forrest Taylor wrote:
> >>     
> >>> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
> >>>   
> >>>       
> >>>> Forrest Taylor wrote:
> >>>>     
> >>>>         
> >>>>> I have a user that has a category different than the default.  When I
> >>>>> log in to the GUI or via ssh, the category is set.  However, when I
> >>>>> login to the text console, the category is not set.  Is this a bug in
> >>>>> login or do I have unreasonable expectations?
> >>>>>
> >>>>> # semanage translation -l 
> >>>>> s0:c1     admin1
> >>>>>
> >>>>> # semanage login -l
> >>>>> student   user_u    admin1
> >>>>>
> >>>>> Through ssh/GUI:
> >>>>> $ id -Z
> >>>>> user_u:system_r:unconfined_t:admin1
> >>>>>
> >>>>> Through text console:
> >>>>> $ id -Z
> >>>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh
> >>>>>
> >>>>> Now that I write this, I notice that the user and role have changed as
> >>>>> well.  I also notice this in the audit log:
> >>>>>
> >>>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
> >>>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> >>>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
> >>>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> >>>>> res=success)'
> >>>>>
> >>>>> This is running on RHEL 5.0.0 targeted policy.  Any clues?
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Forrest
> >>>>>   
> >>>>> ------------------------------------------------------------------------
> >>>>>
> >>>>> --
> >>>>> fedora-selinux-list mailing list
> >>>>> fedora-selinux-list@xxxxxxxxxx
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>>       
> >>>>>           
> >>>> This looks like a bug.
> >>>>
> >>>>
> >>>> But a lot of fixes were added for 5.1 for MLS policy and this might have 
> >>>> been one of them.  Since this is pretty fundamental to mls.
> >>>>
> >>>> A prerelease of the mls packages is available at
> >>>>
> >>>> http://people.redhat.com/sgrubb/files/lspp/
> >>>>     
> >>>>         
> >>> Yes, that fixed the problem.  I pointed yum to Steve's repo and
> >>> installed all the updates.  Now I get this context:
> >>>
> >>> user_u:system_r:unconfined_t::admin1
> >>>
> >>> Interesting that it has :: before admin1.  I assume that this tells us
> >>> that admin1 is defined as both a security level and a category.
> >>> Although this doesn't hold true for root:
> >>>
> >>> root:system_r:unconfined_t:-SystemHigh
> >>>
> >>> Why does root have -SystemHigh (why the dash)?  Turning off mcstrans
> >>> shows that it is s0-s0:c0.c1023, so how is that translated to -
> >>> SystemHigh, and why doesn't it have :: ?
> >>>
> >>> Thanks,
> >>>
> >>> Forrest
> >>>   
> >>>       
> >> This looks like a translation problem.   You have s0->""  So this is really
> >>
> >> s0:admin1
> >> s0-SystemHigh
> >>     
> >
> > True.  BTW, why isn't s0 defined by default?  Shouldn't it be SystemLow?
> >
> > Forrest
> >   
> Just saving terminal space.  Since 99.99 % of the people in the world do 
> not use MCS/MLS.  We decided to translate
> s0 == "" and save terminal/screen real estate.

Makes sense (I love efficiency), and it is easy enough to define
yourself.

Forrest

Attachment: signature.asc
Description: This is a digitally signed message part

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux