New prompt at login time

Allen, Jack Jack.Allen at McKesson.com
Tue Oct 25 17:48:59 UTC 2005 

        I have posted this on the redhat-list and the pam-list an no one
responded. So I am trying here. Hopefully someone will have something to
say that will help.

        I ran up2date yesterday (now a few days ago) and have my system
completely up to
date. I rebooted this morning (now a few days ago) and now when I login
via telnet, yes that
is just plain old telnet, not ssh, I get the following: 
========
Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
Kernel 2.6.9-22.ELsmp on an i686
login: jca
Password:
Your default context is user_u:system_r:unconfined_t. 
Do you want to choose a different one? [n]
======== 
I just entered a CR and thought this would be a one time things. But it
is not. While the prompt was being displayed I did a who and it does not
show me logged in yet. I did a ps -ef | grep log and see a login process
with the host name and -p option. So it appears the prompt is coming
from the login program or its calls to some PAM routine. 
Does anybody know where this is controlled so I can set a
default and not be prompted each time? 
Also exactly what is this controlling? 
If I do id, it shows context=user_u:system_r:unconfined_t 
Some things I have been able to find out and more questions. 
I did man -k context and discovered the get_default_context routine.
Doing
man get_default_context tells me about get_default_context_list 
get_ordered_context_list queries the SE Linux policy database in the
kernel and some configuration files to determine an ordered list of
contexts that may be used for login sessions. The list must be freed
with freeconary. The possible roles and domains will be read from
/etc/security/default_contexts and .default_contexts in the home
directory of the user in question. 
My question now is what is the format of the files listed above? 
manual_user_enter_context allows the user to manually enter a context
as a fallback if a list of authorized contexts could not be obtained.
Caller must free via freecon. 
So I assume this is why I am getting prompted. 
I found default_contexts in /etc/selinux/targeted/contexts and it
contains: 
system_r:unconfined_t system_r:unconfined_t 
I also found that if I removed the multiple option for pam_selinux.so,
in remote located in /etc/pam.d, I do not get the prompt. So is this the
correct place to correct this? That is the next time I run up2date and
there is an update to remote is it going to get replaced and I will have
to remove it again? Or is there another place that controls this that
would be better to change.

Thanks:
Jack Allen 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20051025/b37ebe82/attachment.htm>

More information about the fedora-selinux-list mailing list