On Sun, Feb 14, 2021 at 11:39 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > Dominick Grift <dominick.grift@xxxxxxxxxxx> writes: > > Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes: > > > >> session required pam_selinux.so open > >> > >> also worked fine. > > > > oh right! ... yes corner case... > > > > to make it work with env_params you need: > > > > allow xferHigh2Local_t self:context contains; > > > > Sorry for overlooking that No worries! So many moving parts to keep track of. > >> I need to do some research on this. The env_params option was a system > >> default, I dislike changing system defaults unless I understand why. > >> > >> Now to figure why the auditor's context is failing to be set. > > I think this patch is why you need "context containts" when you have > "env_params" set: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch Interesting. This might argue for an OS upgrade.... What is driving me particularly nutty is that for this 7.9 Maipo box, I based my rules on a working set I wrote for a 7.8 Maipo box. Among other things, both use sshd 7.4p1. And yet the 7.8 box has 'env_params' and no 'contains' rules, and all SSH logins work as expected, while this 7.9 box has me clawing me at my eyes. P