On Fri, 2007-07-20 at 10:07 -0400, Daniel J Walsh wrote: > Forrest Taylor wrote: > > On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote: > > > >> Forrest Taylor wrote: > >> > >>> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote: > >>> > >>> > >>>> Forrest Taylor wrote: > >>>> > >>>> > >>>>> I have a user that has a category different than the default. When I > >>>>> log in to the GUI or via ssh, the category is set. However, when I > >>>>> login to the text console, the category is not set. Is this a bug in > >>>>> login or do I have unreasonable expectations? > >>>>> > >>>>> # semanage translation -l > >>>>> s0:c1 admin1 > >>>>> > >>>>> # semanage login -l > >>>>> student user_u admin1 > >>>>> > >>>>> Through ssh/GUI: > >>>>> $ id -Z > >>>>> user_u:system_r:unconfined_t:admin1 > >>>>> > >>>>> Through text console: > >>>>> $ id -Z > >>>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh > >>>>> > >>>>> Now that I write this, I notice that the user and role have changed as > >>>>> well. I also notice this in the audit log: > >>>>> > >>>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517 > >>>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 > >>>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected- > >>>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 > >>>>> res=success)' > >>>>> > >>>>> This is running on RHEL 5.0.0 targeted policy. Any clues? > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Forrest > >>>>> > >>>>> ------------------------------------------------------------------------ > >>>>> > >>>>> -- > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list@xxxxxxxxxx > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>> This looks like a bug. > >>>> > >>>> > >>>> But a lot of fixes were added for 5.1 for MLS policy and this might have > >>>> been one of them. Since this is pretty fundamental to mls. > >>>> > >>>> A prerelease of the mls packages is available at > >>>> > >>>> http://people.redhat.com/sgrubb/files/lspp/ > >>>> > >>>> > >>> Yes, that fixed the problem. I pointed yum to Steve's repo and > >>> installed all the updates. Now I get this context: > >>> > >>> user_u:system_r:unconfined_t::admin1 > >>> > >>> Interesting that it has :: before admin1. I assume that this tells us > >>> that admin1 is defined as both a security level and a category. > >>> Although this doesn't hold true for root: > >>> > >>> root:system_r:unconfined_t:-SystemHigh > >>> > >>> Why does root have -SystemHigh (why the dash)? Turning off mcstrans > >>> shows that it is s0-s0:c0.c1023, so how is that translated to - > >>> SystemHigh, and why doesn't it have :: ? > >>> > >>> Thanks, > >>> > >>> Forrest > >>> > >>> > >> This looks like a translation problem. You have s0->"" So this is really > >> > >> s0:admin1 > >> s0-SystemHigh > >> > > > > True. BTW, why isn't s0 defined by default? Shouldn't it be SystemLow? > > > > Forrest > > > Just saving terminal space. Since 99.99 % of the people in the world do > not use MCS/MLS. We decided to translate > s0 == "" and save terminal/screen real estate. Makes sense (I love efficiency), and it is easy enough to define yourself. Forrest
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
