Text console not setting category
Forrest Taylor
ftaylor at redhat.com
Thu Jul 19 21:04:13 UTC 2007
On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote:
> Forrest Taylor wrote:
> > On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
> >
> >> Forrest Taylor wrote:
> >>
> >>> I have a user that has a category different than the default. When I
> >>> log in to the GUI or via ssh, the category is set. However, when I
> >>> login to the text console, the category is not set. Is this a bug in
> >>> login or do I have unreasonable expectations?
> >>>
> >>> # semanage translation -l
> >>> s0:c1 admin1
> >>>
> >>> # semanage login -l
> >>> student user_u admin1
> >>>
> >>> Through ssh/GUI:
> >>> $ id -Z
> >>> user_u:system_r:unconfined_t:admin1
> >>>
> >>> Through text console:
> >>> $ id -Z
> >>> system_u:system_r:unconfined_t:SystemLow-SystemHigh
> >>>
> >>> Now that I write this, I notice that the user and role have changed as
> >>> well. I also notice this in the audit log:
> >>>
> >>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
> >>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> >>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
> >>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> >>> res=success)'
> >>>
> >>> This is running on RHEL 5.0.0 targeted policy. Any clues?
> >>>
> >>> Thanks,
> >>>
> >>> Forrest
> >>>
> >>> ------------------------------------------------------------------------
> >>>
> >>> --
> >>> fedora-selinux-list mailing list
> >>> fedora-selinux-list at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>
> >> This looks like a bug.
> >>
> >>
> >> But a lot of fixes were added for 5.1 for MLS policy and this might have
> >> been one of them. Since this is pretty fundamental to mls.
> >>
> >> A prerelease of the mls packages is available at
> >>
> >> http://people.redhat.com/sgrubb/files/lspp/
> >>
> >
> > Yes, that fixed the problem. I pointed yum to Steve's repo and
> > installed all the updates. Now I get this context:
> >
> > user_u:system_r:unconfined_t::admin1
> >
> > Interesting that it has :: before admin1. I assume that this tells us
> > that admin1 is defined as both a security level and a category.
> > Although this doesn't hold true for root:
> >
> > root:system_r:unconfined_t:-SystemHigh
> >
> > Why does root have -SystemHigh (why the dash)? Turning off mcstrans
> > shows that it is s0-s0:c0.c1023, so how is that translated to -
> > SystemHigh, and why doesn't it have :: ?
> >
> > Thanks,
> >
> > Forrest
> >
>
> This looks like a translation problem. You have s0->"" So this is really
>
> s0:admin1
> s0-SystemHigh
True. BTW, why isn't s0 defined by default? Shouldn't it be SystemLow?
Forrest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070719/90c4b1d5/attachment.sig>
More information about the fedora-selinux-list
mailing list