On 06/15/11 16:36, Sam Gandhi wrote:
>>> In my policy definitions I am defining a new user diags_u, type
>>> diags_t and role diags_r, essentially following statements in
>>> policy.conf (through macros etc)
>>>
>>> type diags_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
>>> role diags_r types diags_t;
>>> user diags_u roles { diags_r };
>>>
>>> Is that sufficient? fwiw, I have been able to transition to
>>> diags_u:diags_r:diags_t context using the newrole command, when using
>>> policy that contains above statements.
>>
>> And it works in enforcing? I would expect it to fail if you don't have
>> a role allow:
>>
>> allow system_r diags_r;
>>
>
> I had that statement in my policy sorry I didn't include it original email.
>
> I can transition to diags_u:diags_r:diags_t context via newrole,
> although when using pam_selinux to login as user diags initial context
> that is set is diags_u:system_r:initrc_t
>
> Looks like my $P/contexts/default_context or $P/contexts/users/diag_u
> file is wrong (?)
Odd. Can you confirm that your getty is getty_t and the login program
runs in local_login_t?
If those are correct, then you should make sure you include
diags_r:diags_t on the system_r:local_login_t lines of the above two files.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
