Text console not setting category
Forrest Taylor
ftaylor at redhat.com
Fri Jul 20 18:16:09 UTC 2007
On Fri, 2007-07-20 at 10:07 -0400, Daniel J Walsh wrote:
> Forrest Taylor wrote:
> > On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote:
> >
> >> Forrest Taylor wrote:
> >>
> >>> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
> >>>
> >>>
> >>>> Forrest Taylor wrote:
> >>>>
> >>>>
> >>>>> I have a user that has a category different than the default. When I
> >>>>> log in to the GUI or via ssh, the category is set. However, when I
> >>>>> login to the text console, the category is not set. Is this a bug in
> >>>>> login or do I have unreasonable expectations?
> >>>>>
> >>>>> # semanage translation -l
> >>>>> s0:c1 admin1
> >>>>>
> >>>>> # semanage login -l
> >>>>> student user_u admin1
> >>>>>
> >>>>> Through ssh/GUI:
> >>>>> $ id -Z
> >>>>> user_u:system_r:unconfined_t:admin1
> >>>>>
> >>>>> Through text console:
> >>>>> $ id -Z
> >>>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh
> >>>>>
> >>>>> Now that I write this, I notice that the user and role have changed as
> >>>>> well. I also notice this in the audit log:
> >>>>>
> >>>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
> >>>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> >>>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
> >>>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> >>>>> res=success)'
> >>>>>
> >>>>> This is running on RHEL 5.0.0 targeted policy. Any clues?
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Forrest
> >>>>>
> >>>>> ------------------------------------------------------------------------
> >>>>>
> >>>>> --
> >>>>> fedora-selinux-list mailing list
> >>>>> fedora-selinux-list at redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>>>>
> >>>>>
> >>>> This looks like a bug.
> >>>>
> >>>>
> >>>> But a lot of fixes were added for 5.1 for MLS policy and this might have
> >>>> been one of them. Since this is pretty fundamental to mls.
> >>>>
> >>>> A prerelease of the mls packages is available at
> >>>>
> >>>> http://people.redhat.com/sgrubb/files/lspp/
> >>>>
> >>>>
> >>> Yes, that fixed the problem. I pointed yum to Steve's repo and
> >>> installed all the updates. Now I get this context:
> >>>
> >>> user_u:system_r:unconfined_t::admin1
> >>>
> >>> Interesting that it has :: before admin1. I assume that this tells us
> >>> that admin1 is defined as both a security level and a category.
> >>> Although this doesn't hold true for root:
> >>>
> >>> root:system_r:unconfined_t:-SystemHigh
> >>>
> >>> Why does root have -SystemHigh (why the dash)? Turning off mcstrans
> >>> shows that it is s0-s0:c0.c1023, so how is that translated to -
> >>> SystemHigh, and why doesn't it have :: ?
> >>>
> >>> Thanks,
> >>>
> >>> Forrest
> >>>
> >>>
> >> This looks like a translation problem. You have s0->"" So this is really
> >>
> >> s0:admin1
> >> s0-SystemHigh
> >>
> >
> > True. BTW, why isn't s0 defined by default? Shouldn't it be SystemLow?
> >
> > Forrest
> >
> Just saving terminal space. Since 99.99 % of the people in the world do
> not use MCS/MLS. We decided to translate
> s0 == "" and save terminal/screen real estate.
Makes sense (I love efficiency), and it is easy enough to define
yourself.
Forrest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070720/194a5780/attachment.sig>
More information about the fedora-selinux-list
mailing list