-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2010 03:52 AM, Matthias Imsand wrote: > > On 09/30/2010 08:24 PM, Daniel J Walsh wrote: >> On 09/30/2010 10:18 AM, imsand@xxxxxxxxx wrote: >>> another interesting thing is the following: >>> (seen with the debug option in pam_selinux) > >>> assuming that the linux user is mat and the corresponding selinux user is >>> mat_u. during ssh login this happens: > >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Username= >>> mat SELinux User = mat_u Level= (null) >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat >>> security context to mat_u:staff_r:staff_t >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat key >>> creation context to mat_u:staff_r:staff_t > >>> As we can see, the user mapping works as desired and the new choosen >>> context should be all right => mat_u:staff_r:staff_t. > >>> But then, when I do an id -Z after successful login, the shell's context >>> is context=user_u:user_r:user_t. > >>> Very strange.... > >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > >> You got me. If you create the mat_u user and login does the pam_selinux >> session look different? > >> Why don't you ask on the upstream selinux list. More sles experience is >> probably there that is not monitoring this list. >> <selinux@xxxxxxxxxxxxx> > > no, with mat_u it looks similar. > Username= mat_u SELinux User = mat_u Level= (null) > > Do you know which library / process is responsible for actually changing > the context to mat_u:staff_r:staff_t? Or should it be done directly by > the pam_selinux.so? > > Yes, tank you for the recommendation. I will ask on that list as well.. - -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux These functions are all called in pam_selinux including getseuserbyname(const char *linuxuser, char **seuser, char **level); And setexeccon. One thing of not is the default user is user_u which seems to be what you are seeing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyl2G4ACgkQrlYvE4MpobPO9QCdGZipXjq6Hj0ZYgmr0lulFdKF LOMAnjzdeKvNgbewJ+3G8gh6TAFjrhp2 =4C/A -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
