On Fri, 2008-02-08 at 08:59 -0500, Stephen Smalley wrote:
> On Thu, 2008-02-07 at 17:14 -0600, Jeremiah Jahn wrote:
> > I can't seem to login as the right user, and I'm not sure what I missed.
> >
> > I added the following roles and users to my monetra.te file:
> >
> >
> > #admin roles
> > role monetra_admin_r types monetra_t;
> > role monetra_admin_r types monetra_lib_t;
>
> role-type statements are only required for domain types, not file types.
> Files use the generic object_r role.
thanx.
>
> > #client roles
> > role monetra_client_r types monetra_t;
> > role monetra_client_r types monetra_lib_t;
> > role monetra_client_r types monetra_client_t;
> >
> > #monetra users
> > user monetra_u roles { monetra_client_r monetra_admin_r } level s0 range s0 - s0;
> >
> >
> >
> >
> > I ran the add login command:
> > semanage login -a -s monetra_u bob
> >
> >
> >
> > I get the following output:
> > [root@xxx ~]# semanage login -l
> >
> > Login Name SELinux User MLS/MCS Range
> >
> > __default__ user_u s0
> > root root s0-s0:c0.c255
> > system_u system_u s0-s0:c0.c255
> > bob monetra_u s0
> >
> > [root@xxx ~]# semanage user -l
> >
> > Labeling MLS/ MLS/
> > SELinux User Prefix MCS Level MCS Range SELinux Roles
> >
> >
> > monetra_u user s0 s0 monetra_admin_r monetra_client_r
> > root sysadm s0 s0-s0:c0.c255 sysadm_r staff_r
> > staff_u staff s0 s0-s0:c0.c255 sysadm_r staff_r
> > sysadm_u sysadm s0 s0-s0:c0.c255 sysadm_r
> > system_u user s0 s0-s0:c0.c255 system_r
> > unconfined_u unconfined s0 s0-s0:c0.c255 unconfined_r
> > user_u user s0 s0 user_r
> >
> > yet when I login I get:
> > [bob@xxx ~]$ id -Z
> > system_u:system_r:unconfined_t:s0-s0:c0.c255
> >
> >
> > thanx for any help you can give.
>
> First, by login, I assume you mean a real login (via console login, gdm,
> or ssh), not just a su. su doesn't change SELinux context in RHEL 5.
correct.
>
> Second, have you authorized a domain transition from the domain in which
> the login process is running to your new domain?
can you give me a quick pointer as to where to go to find an example of
this? userdomain.te didn't help, nor locallogin.te. I need to both do it
from the console, and from ssh. And one other dumb question, what the
heck are prefixes, and how do they apply to this?
>
Command, n.: Statement presented by a human and accepted by a computer
in such a manner as to make the human feel as if he is in control.
Attachment:
signature.asc
Description: This is a digitally signed message part
