Re: Defining SELinux users, "Unable to get valid context...". Help!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Feb 14, 2021 at 11:39 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
> Dominick Grift <dominick.grift@xxxxxxxxxxx> writes:
> > Peter Whittaker <peterwhittaker@xxxxxxxxxxxxxxxxxxx> writes:
> >
> >>     session    required     pam_selinux.so open
> >>
> >> also worked fine.
> >
> > oh right! ... yes corner case...
> >
> > to make it work with env_params you need:
> >
> > allow xferHigh2Local_t self:context contains;
> >
> > Sorry for overlooking that

No worries! So many moving parts to keep track of.

> >> I need to do some research on this. The env_params option was a system
> >> default, I dislike changing system defaults unless I understand why.
> >>
> >> Now to figure why the auditor's context is failing to be set.
>
> I think this patch is why you need "context containts" when you have
> "env_params" set: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch

Interesting. This might argue for an OS upgrade....

What is driving me particularly nutty is that for this 7.9 Maipo box,
I based my rules on a working set I wrote for a 7.8 Maipo box. Among
other things, both use sshd 7.4p1.

And yet the 7.8 box has 'env_params' and no 'contains' rules, and all
SSH logins work as expected, while this 7.9 box has me clawing me at
my eyes.

P



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux