login default ... changed?
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 16 16:18:17 UTC 2004
Stephen Smalley wrote:
>On Thu, 2004-04-15 at 17:29, Stephen Smalley wrote:
>
>
>>Yes, I think that this was wrong earlier in default_contexts and
>>subsequently changed. console login might still default to sysadm_r.
>>
>>
>
>No, looks like the latest default_contexts also puts staff_r before
>sysadm_r for console logins, so those should also go to staff_r by
>default for non-root users authorized for both roles.
>
>Note that you may need to restorecon /root/.default_contexts to get it
>into the right type; otherwise, login/sshd/gdm can't read it.
>
>
I have added a /root/.default_contexts in policy*rpm.
This allows users logging into root to default to sysadm_r and
everywhere else as staff_r/or user_r.
There is a comment in the /root/.default_contexts that you could change
to allow sshd to automatically
pick sysadm_r when logging in via ssh. (This is a potential security
whole).
Please check out these contexts to verify they make sence.
Todays policy has the changes.
Dan
More information about the fedora-selinux-list
mailing list