On Wed, Feb 29, 2012 at 04:34:18PM -0500, Stephen Smalley wrote: > > On Wed, 2012-02-29 at 15:47 -0500, Daniel J Walsh wrote: > > > Right now we have an open bug on confined users. Basically if you > > > setup a confined user guest_u and attempt to login to that user via > > > xdm_t, you get a context of guest_u:guest_r:oddjob_mkhomedir_t:s0 > > > > > > selinuxdefcon pwalsh system_u:system_r:xdm_t:s0 > > > guest_u:guest_r:oddjob_mkhomedir_t:s0 We had a similar issue with vixie-cron. It's attempt to get an initial context gave strange results and we had a rough time figuring out what was the case. Now, we recommend users to run getseuser to find out what the returned context is on the user' system and check if it is cronjob_t [1]. [1] http://www.gentoo.org/proj/en/hardened/selinux-faq.xml#cronfails > > Last time we discussed this, I thought we agreed to migrate away from > > the current usage of security_compute_user (/selinux/user) altogether > > within libselinux, and replace it with a simpler userspace configuration > > and logic for determining user roles and levels. > > I don't think we want to introduce greater complexity and more possible > failures causes into the mix for determining user contexts. Simplest > option would be to change get_ordered_context_list() to return the empty > list / fail in that case rather than return the full reachable list from > security_compute_user. I agree. I find it illogical that it returns a full reachable list. Wkr, Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
