-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/30/2011 08:45 PM, Daniel J Walsh wrote: > On 03/30/2011 02:21 PM, Dominick Grift wrote: >> On 03/30/2011 08:18 PM, Dominick Grift wrote: >>> On 03/30/2011 08:07 PM, Dominick Grift wrote: >>>> On 03/30/2011 07:56 PM, Dominick Grift wrote: >>>>> $ sesearch --allow -SC -T | grep unconfined_login >>>>> ERROR: policydb version 25 does not match my version range 15-24 >>>>> ERROR: Unable to open policy /etc/selinux/targeted/policy/policy.25. >>>>> ERROR: Success > >>>>> by the way: looks like if i set unconfined_login to off that then >>>>> sulogin_t is not allowed to execute shell_exec_t? > >>>> i meant on instead of off, i think its because my root was mapped to >>>> unconfined_u: so at least that part of unconfined_login works. > >>> ifdef(`enable_mls',` >>> sysadm_shell_domtrans(sulogin_t) >>> ',` >>> optional_policy(` >>> unconfined_shell_domtrans(sulogin_t) >>> ') >>> ') > >>> should that not be: > >>> sysadm_shell_domtrans(sulogin_t) > >>> ifndef(`enable_mls`,' >>> optional_policy(` >>> unconfined_shell_domtrans(sulogin_t) >>> ') >>> ') > >>> Because one can also map root to sysadm_u in targeted policy. > >> BTW i suspect we also need this in ssh.te; > >> ifndef(`enable_mls`,' >> optional_policy(` >> unconfined_shell_domtrans(sshd_t) >> ') >> ') No its already there. Something else is wrong. I suspect that it may be conflicting with ssh_sysadm_login since unconfined_t is also an unpriv user. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TfN4ACgkQMlxVo39jgT8HhQCbBIm3PHyhv/hSDMY2Ye4sZMsg hpoAoJaWYYAvsKJsSFo9ictFlbdSz9Gg =Pw2v -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
