-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/30/2010 10:18 AM, imsand@xxxxxxxxx wrote: > another interesting thing is the following: > (seen with the debug option in pam_selinux) > > assuming that the linux user is mat and the corresponding selinux user is > mat_u. during ssh login this happens: > > Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session > Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Open Session > Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): Username= > mat SELinux User = mat_u Level= (null) > Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat > security context to mat_u:staff_r:staff_t > Sep 30 16:09:49 testsrv sshd[4328]: pam_selinux(sshd:session): set mat key > creation context to mat_u:staff_r:staff_t > > As we can see, the user mapping works as desired and the new choosen > context should be all right => mat_u:staff_r:staff_t. > > But then, when I do an id -Z after successful login, the shell's context > is context=user_u:user_r:user_t. > > Very strange.... > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > You got me. If you create the mat_u user and login does the pam_selinux session look different? Why don't you ask on the upstream selinux list. More sles experience is probably there that is not monitoring this list. <selinux@xxxxxxxxxxxxx> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyk1dMACgkQrlYvE4MpobO7cQCeJt8x3QmnammA6NahRasyuK8l jR8AnjmTIhLgBTOvBgJlhSqW9vm9fMt8 =Hx39 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
