Text console not setting category

Daniel J Walsh dwalsh at redhat.com
Thu Jul 19 20:30:59 UTC 2007 

Forrest Taylor wrote:
> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
>   
>> Forrest Taylor wrote:
>>     
>>> I have a user that has a category different than the default.  When I
>>> log in to the GUI or via ssh, the category is set.  However, when I
>>> login to the text console, the category is not set.  Is this a bug in
>>> login or do I have unreasonable expectations?
>>>
>>> # semanage translation -l 
>>> s0:c1     admin1
>>>
>>> # semanage login -l
>>> student   user_u    admin1
>>>
>>> Through ssh/GUI:
>>> $ id -Z
>>> user_u:system_r:unconfined_t:admin1
>>>
>>> Through text console:
>>> $ id -Z
>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh
>>>
>>> Now that I write this, I notice that the user and role have changed as
>>> well.  I also notice this in the audit log:
>>>
>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
>>> res=success)'
>>>
>>> This is running on RHEL 5.0.0 targeted policy.  Any clues?
>>>
>>> Thanks,
>>>
>>> Forrest
>>>   
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>       
>> This looks like a bug.
>>
>>
>> But a lot of fixes were added for 5.1 for MLS policy and this might have 
>> been one of them.  Since this is pretty fundamental to mls.
>>
>> A prerelease of the mls packages is available at
>>
>> http://people.redhat.com/sgrubb/files/lspp/
>>     
>
> Yes, that fixed the problem.  I pointed yum to Steve's repo and
> installed all the updates.  Now I get this context:
>
> user_u:system_r:unconfined_t::admin1
>
> Interesting that it has :: before admin1.  I assume that this tells us
> that admin1 is defined as both a security level and a category.
> Although this doesn't hold true for root:
>
> root:system_r:unconfined_t:-SystemHigh
>
> Why does root have -SystemHigh (why the dash)?  Turning off mcstrans
> shows that it is s0-s0:c0.c1023, so how is that translated to -
> SystemHigh, and why doesn't it have :: ?
>
> Thanks,
>
> Forrest
>   

This looks like a translation problem.   You have s0->""  So this is really

s0:admin1
s0-SystemHigh

More information about the fedora-selinux-list mailing list