Re: error: ssh_selinux_getctxbyname: Failed to get default SELinux security context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 09/30/2010 08:24 PM, Daniel J Walsh wrote:
> On 09/30/2010 10:18 AM, imsand@xxxxxxxxx wrote:
>> another interesting thing is the following:
>> (seen with the debug option in pam_selinux)
> 
>> assuming that the linux user is mat and the corresponding selinux user is
>> mat_u. during ssh login this happens:
> 
>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session
>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session
>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Username=
>> mat SELinux User = mat_u Level= (null)
>> Sep 30 16:09:49 testsrv  sshd[4328]: pam_selinux(sshd:session): set mat
>> security context to mat_u:staff_r:staff_t
>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat key
>> creation context to mat_u:staff_r:staff_t
> 
>> As we can see, the user mapping works as desired and the new choosen
>> context should be all right => mat_u:staff_r:staff_t.
> 
>> But then, when I do an id -Z after successful login, the shell's context
>> is context=user_u:user_r:user_t.
> 
>> Very strange....
> 
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> You got me.  If you create the mat_u user and login does the pam_selinux
> session look different?
> 
> Why don't you ask on the upstream selinux list.  More sles experience is
> probably there that is not monitoring this list.
>  <selinux@xxxxxxxxxxxxx>
> 
no, with mat_u it looks similar.
Username= mat_u SELinux User = mat_u Level= (null)

Do you know which library / process is responsible for actually changing
the context to mat_u:staff_r:staff_t? Or should it be done directly by
the pam_selinux.so?

Yes, tank you for the recommendation. I will ask on that list as well..
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iF4EAREIAAYFAkylk0IACgkQHzQsIA2xsfK7eAD+MglajxYuoSwyA53J5IG4slH/
3/dVD5apMZGAUZOfmpMBAJGpW25qZ9Juxyjg8h+wG+lIPSJ/ETfrSeDrMXcfA0lb
=k9Vp
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux