On Fri, 2011-09-23 at 13:38 -0400, Daniel J Walsh wrote: > On 09/23/2011 12:30 PM, Guido Trentalancia wrote: > > On Fri, 2011-09-16 at 11:58 -0400, Daniel J Walsh wrote: > >> On 09/16/2011 11:22 AM, Justin P. Mattock wrote: > >>> On 09/16/2011 07:59 AM, Daniel J Walsh wrote: > >>>> ps -eZ |grep sshd > >>> I dont have sshd running, but here is ps auxZ to give you an > >>> idea of what I am seeing: http://fpaste.org/u6IB/ > >>> > >>> if I adjust /etc/pam.d/login and add select_context to > >>> pam_selinux.so then do init 3 in lilo I am able to have the > >>> context justin:staff_r:staff_t:s0 the way it should. but as > >>> soon as I init 5 gdm starts up, and everything goes back to > >>> name:staff_r:insmod_t:s0 > >>> > >>> I think I am either missing a boolean to have the transisiton > >>> runing properly, and/or pam.d or some config file somewhere > >>> needs to be adjusted. keep in mind refpolicy has no patches > >>> added to it(not sure if I need any for systemd), just plain git > >>> pull etc... > >>> > >>> Justin P. Mattock > >> Well since you don't have a init_t running, I think your problem > >> starts there. Looks like your system is badly mislabeled or > >> something in init is broken. I take it this is not a Red Hat > >> Based OS? > > > > I'd actually like to take this opportunity to stress once again > > that in my opinion the system boot/init process should fail > > irreversibly as soon as the init process has failed to transition > > to its own designated context from the initial kernel context. > > > > Regards, > > > > Guido > > > > > > -- This message was distributed to subscribers of the selinux > > mailing list. If you no longer wish to subscribe, send mail to > > majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" > > without quotes as the message. > > > > > Well it does crash if you are in enforcing mode on RHEL and Fedora boxes. Yes, very good. At the end, a very polite message is not the first priority in such as situation... But unfortunately this is not the case for the upstream bits. Ideally should be tackled in the SELinux kernel code. Did RHEL and Fedora patch the kernel then to achieve that ? Regards, Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
