Text console not setting category
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 20 14:07:07 UTC 2007
Forrest Taylor wrote:
> On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote:
>
>> Forrest Taylor wrote:
>>
>>> On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
>>>
>>>
>>>> Forrest Taylor wrote:
>>>>
>>>>
>>>>> I have a user that has a category different than the default. When I
>>>>> log in to the GUI or via ssh, the category is set. However, when I
>>>>> login to the text console, the category is not set. Is this a bug in
>>>>> login or do I have unreasonable expectations?
>>>>>
>>>>> # semanage translation -l
>>>>> s0:c1 admin1
>>>>>
>>>>> # semanage login -l
>>>>> student user_u admin1
>>>>>
>>>>> Through ssh/GUI:
>>>>> $ id -Z
>>>>> user_u:system_r:unconfined_t:admin1
>>>>>
>>>>> Through text console:
>>>>> $ id -Z
>>>>> system_u:system_r:unconfined_t:SystemLow-SystemHigh
>>>>>
>>>>> Now that I write this, I notice that the user and role have changed as
>>>>> well. I also notice this in the audit log:
>>>>>
>>>>> type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
>>>>> uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
>>>>> msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
>>>>> context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
>>>>> res=success)'
>>>>>
>>>>> This is running on RHEL 5.0.0 targeted policy. Any clues?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Forrest
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>
>>>>>
>>>> This looks like a bug.
>>>>
>>>>
>>>> But a lot of fixes were added for 5.1 for MLS policy and this might have
>>>> been one of them. Since this is pretty fundamental to mls.
>>>>
>>>> A prerelease of the mls packages is available at
>>>>
>>>> http://people.redhat.com/sgrubb/files/lspp/
>>>>
>>>>
>>> Yes, that fixed the problem. I pointed yum to Steve's repo and
>>> installed all the updates. Now I get this context:
>>>
>>> user_u:system_r:unconfined_t::admin1
>>>
>>> Interesting that it has :: before admin1. I assume that this tells us
>>> that admin1 is defined as both a security level and a category.
>>> Although this doesn't hold true for root:
>>>
>>> root:system_r:unconfined_t:-SystemHigh
>>>
>>> Why does root have -SystemHigh (why the dash)? Turning off mcstrans
>>> shows that it is s0-s0:c0.c1023, so how is that translated to -
>>> SystemHigh, and why doesn't it have :: ?
>>>
>>> Thanks,
>>>
>>> Forrest
>>>
>>>
>> This looks like a translation problem. You have s0->"" So this is really
>>
>> s0:admin1
>> s0-SystemHigh
>>
>
> True. BTW, why isn't s0 defined by default? Shouldn't it be SystemLow?
>
> Forrest
>
Just saving terminal space. Since 99.99 % of the people in the world do
not use MCS/MLS. We decided to translate
s0 == "" and save terminal/screen real estate.
More information about the fedora-selinux-list
mailing list