Text console not setting category
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 19 20:30:59 UTC 2007
Forrest Taylor wrote:
> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
>
>> Forrest Taylor wrote:
>>
>>> I have a user that has a category different than the default. When I
>>> log in to the GUI or via ssh, the category is set. However, when I
>>> login to the text console, the category is not set. Is this a bug in
>>> login or do I have unreasonable expectations?
>>>
>>> # semanage translation -l
>>> s0:c1 admin1
>>>
>>> # semanage login -l
>>> student user_u admin1
>>>
>>> Through ssh/GUI:
>>> $ id -Z
>>> user_u:system_r:unconfined_t:admin1
>>>
>>> Through text console:
>>> $ id -Z
>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh
>>>
>>> Now that I write this, I notice that the user and role have changed as
>>> well. I also notice this in the audit log:
>>>
>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
>>> res=success)'
>>>
>>> This is running on RHEL 5.0.0 targeted policy. Any clues?
>>>
>>> Thanks,
>>>
>>> Forrest
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>> This looks like a bug.
>>
>>
>> But a lot of fixes were added for 5.1 for MLS policy and this might have
>> been one of them. Since this is pretty fundamental to mls.
>>
>> A prerelease of the mls packages is available at
>>
>> http://people.redhat.com/sgrubb/files/lspp/
>>
>
> Yes, that fixed the problem. I pointed yum to Steve's repo and
> installed all the updates. Now I get this context:
>
> user_u:system_r:unconfined_t::admin1
>
> Interesting that it has :: before admin1. I assume that this tells us
> that admin1 is defined as both a security level and a category.
> Although this doesn't hold true for root:
>
> root:system_r:unconfined_t:-SystemHigh
>
> Why does root have -SystemHigh (why the dash)? Turning off mcstrans
> shows that it is s0-s0:c0.c1023, so how is that translated to -
> SystemHigh, and why doesn't it have :: ?
>
> Thanks,
>
> Forrest
>
This looks like a translation problem. You have s0->"" So this is really
s0:admin1
s0-SystemHigh
More information about the fedora-selinux-list
mailing list