-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-Type: text/plain; charset=ISO-8859-1 On 10/01/2010 03:52 AM, Matthias Imsand wrote: > > > > On 09/30/2010 08:24 PM, Daniel J Walsh wrote: >> >> On 09/30/2010 10:18 AM, imsand@xxxxxxxxx wrote: >>> >>> another interesting thing is the following: >>> >>> (seen with the debug option in pam_selinux) > > >>> >>> assuming that the linux user is mat and the corresponding selinux user is >>> >>> mat_u. during ssh login this happens: > > >>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session >>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session >>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Username= >>> >>> mat SELinux User = mat_u Level= (null) >>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat >>> >>> security context to mat_u:staff_r:staff_t >>> >>> Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat key >>> >>> creation context to mat_u:staff_r:staff_t > > >>> >>> As we can see, the user mapping works as desired and the new choosen >>> >>> context should be all right => mat_u:staff_r:staff_t. > > >>> >>> But then, when I do an id -Z after successful login, the shell's context >>> >>> is context=user_u:user_r:user_t. > > >>> >>> Very strange.... > > >>> >>> -- >>> >>> selinux mailing list >>> >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > >> >> You got me. If you create the mat_u user and login does the pam_selinux >> >> session look different? > > >> >> Why don't you ask on the upstream selinux list. More sles experience is >> >> probably there that is not monitoring this list. >> >> <selinux@xxxxxxxxxxxxx> > > > > no, with mat_u it looks similar. > > Username= mat_u SELinux User = mat_u Level= (null) > > > > Do you know which library / process is responsible for actually changing > > the context to mat_u:staff_r:staff_t? Or should it be done directly by > > the pam_selinux.so? > > > > Yes, tank you for the recommendation. I will ask on that list as well.. > > These functions are all called in pam_selinux including > getseuserbyname(const char *linuxuser, char **seuser, char **level); > And setexeccon. One thing of not is the default user is user_u which seems to be what you are seeing. So, there must be a bug in pam_selinux, isn't it? What do you recommend doing next? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iF4EAREIAAYFAkyl4AsACgkQHzQsIA2xsfI0dQD8CDKQz5HRA3H9QDGC3PklcAhL LGHP7BoEkCWzL6GAffQA/0OY9nPe/REsfaod1DJuXa13FL2pNwLR9JEoeyiX4eBg =czpZ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
