On Mon, 2008-02-04 at 19:44 -0500, Hasan Rezaul-CHR010 wrote: > Hi Dave, > > I forgot to mention that, after doing the un-tarring of the policy > collection, I did run the restorecon command: > > restorecon -rF / > restorecon -rF /etc/ > > And I did try running /usr/sbin/load_policy > > ... If I ssh in as Admin, I still get the wrong user context of > staff_u:sysadm_r:sysadm_t:s0 :-( > > But if I reboot the machine, and then ssh in as Admin, I get the correct > user context of staff_u:staff_r:staff_t !! > > Is there any other hidden thing that the reboot does that helps in > setting the user contexts correctly ? > > Thanks again for all the help... The logic for computing the login context for users is based on the context of the caller (e.g. the context in which the login process runs) as well as the authorized contexts for the user. For example, policy might allow a user to login at the console (local_login_t) as sysadm_r while preventing him from logging in directly into sysadm_r when logging in via ssh (sshd_t). Thus, if you merely untar the directory, reload policy, and relabel, your existing processes may still be running in the wrong contexts, and this can affect the context computed for login. A reboot ensures that everything transitions properly as defined by policy. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
