On 10/31/10 18:36, Hasan Rezaul-CHR010 wrote: > Hi All, > > I know there was a huge email thread recently regarding obtaining > correct security context after SSH-login, but I didn't really get the > answer I need from that thread. So hoping someone can help me... [...] > After the software_upgrade (when the filesystem has already been labeled > correctly, and after the reboot, I would expect the "login" process and > the "sshd" process to run under the correct context > (system_u:system_r:login_exec_t), (system_u:system_r:sshd_exec_t). But > I don't :-( I see them both running as system_u:system_r:kernel_t > !!! This tells me that the domain transitions during the init sequence > perhaps didn't go smoothly ? This is the first problem. It sounds like your init program (typically /sbin/init) is not labeled correctly, which means you don't transition out of kernel_t when init runs, meaning anything that starts up from init/init scripts will almost certainly have the wrong context. The init program should be init_exec_t. I would expect sshd to have the sshd_t domain and local login would be local_login_t (getty processes getty_t). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
