On Sat, Feb 13, 2021 at 2:24 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
> Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
> > On Fri, Feb 12, 2021 at 4:52 PM Dominick Grift
> > <dominick.grift@xxxxxxxxxxx> wrote:
> >> Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
> >> > On Fri, Feb 12, 2021 at 2:58 AM Dominick Grift
> >> > <dominick.grift@xxxxxxxxxxx> wrote:
> >> >> Dominick Grift <dominick.grift@xxxxxxxxxxx> writes:
> >> >> > Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
> >> >> >> BLUF: Logging in via SSH or directly at the console results
> >> >> >> in "Unable to get valid context...". Help! Much info included.
>
> You missed a fundamental type attribute association:
>
> type xferHigh2Local_t, CDTml_types, userdomain, process_user_target;
>
> It seems that you did not associate your process types with "domain":
>
> typeattribute xferHigh2Local_t domain;
>
> See if adding that helps
It didn't - but! The failure motivated me to dive more deeply back
into /var/log/audit/audit.log, wherein I noticed that the desired user
context has been being computed correctly since sometime yesterday
(15:29:25 EST, in fact) - but SSH logins were still failing to assign
that context. So I tried a console login and it worked (I've not made
any console related changes since you started helping me with this).
Progress: The desired context is properly computed and assigned, at
least with console (local) login. This leaves me two major items to
figure out:
1. Of the changes I have applied over the last 1-3 days,
what is the minimum set required to achieve this? My
immediate future includes bisection.
2. Why doesn't it work with SSH, when it does work with
the console (yes, the ssh_sysadm_login is on)?
I've read that the latter may have to do with network labelling and/or
default network context, I may need to explore that.
All suggestions welcome!
Thanks! Progress restores optimism.
P
