On Thu, Aug 09, 2012 at 07:45:19PM +0200, Ole Kliemann wrote: > Sometime ago I posted about a problem I had when building a > monolithic policy. Login programs were unable to determine the > default context of users when logging in, although i was pretty > sure I did everything right. I never resolved that but didn't > bother either since I started writing a new modular policy from > scratch. > > Everything worked flawlessly, including logins, until suddenly > now logins started to fail again with the login programs unable > to determine the context of the user. > > Oh, what fresh hell is this?! So I started rolling back changes, > and it turns out if there are too many types associated with one > role and that role and one of its types is set as default context > for a user, /bin/login gives 'Unable to get valid context'. > > BTW, the exact number seems 194. 194 types associated with one > role works. 195 and it's broken. > > I'm doing this on Ubuntu 12.04, so it could be the crappily > maintained selinux userland here. > > Ole Workaround is to give each type his own role and then associate all the roles with the user. This way around it works.
Attachment:
signature.asc
Description: Digital signature
