Re: Defining SELinux users, "Unable to get valid context...". Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:

> On Sun, Feb 14, 2021 at 2:32 AM Dominick Grift
> <dominick.grift@xxxxxxxxxxx> wrote:
>> Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
>>
>> > Yes, I may need it, but at this point I want to understand why one
>> > works and the other doesn't.
>>
>> I know that the openssh-server in red-hat based distributions has custom
>> selinux patches.
>
> Well. Just fixed it by accident. The relevant line of /etc/pam.d/sshd was
>
>     session    required     pam_selinux.so open env_params
>
> In an attempt to debug the problem, I changed this to
>
>     session    required     pam_selinux.so open select_context
>
> PAM did not ask me for a context, but did set the context correctly.
>
>     session    required     pam_selinux.so open
>
> also worked fine.

oh right! ... yes corner case...

to make it work with env_params you need:

allow xferHigh2Local_t self:context contains;

Sorry for overlooking that

>
> I need to do some research on this. The env_params option was a system
> default, I dislike changing system defaults unless I understand why.
>
> Now to figure why the auditor's context is failing to be set.
>
> P
>
> Peter Whittaker
> Director, Business Development
> www.SphyrnaSecurity.com
> +1 613 864 5337

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux