[redhat-lspp] newrole error

Klaus Weidner klaus at atsec.com
Tue Jan 16 02:56:58 UTC 2007 

That's a usage we hadn't really considered since the configurations we're
going for don't include a local X desktop. The same thing applies though;
check what the type of the terminal device is that you're running on, and
add that to the /etc/selinux/mls/contexts/securetty_types file :

	ls -Z `tty`

I've added staff_devpts_t to the existing file contents to test this. If
that file doesn't exist yet, get a newer policy from
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ or use the
following contents:

	sysadm_tty_device_t
	user_tty_device_t
	staff_tty_device_t
	auditadm_tty_device_t
	secureadm_tty_device_t

-Klaus

On Mon, Jan 15, 2007 at 08:11:38PM -0600, Ted X Toth wrote:
> Linda,
> No I haven't ssh'd I'm running newrole from an xterm running locally.
> 
> Ted
> 
> Linda Knippers wrote:
> >Xavier Toth wrote:
> >>I'm running the lspp 62 kernel and have install
> >>policycoreutils-newrole-1.33.12-1.el5, selinux-policy-mls-2.4.6-27.el5
> >>and other several rpms they require all of which came from Dan Walsh'
> >>page. Now when I run newrole I get :
> >>Error: you are not allowed to change levels on a non secure terminal
> >>
> >>Can anyone help me understand what the problem is and how I can fix it?
> >
> >I assume you've ssh'd into the system rather than logging on
> >at the console?
> >
> >This is new behavior in newrole to address bugzilla 200110.
> >It prohibits level changes on ptys because there are no
> >controls on the flow of information between the pty master
> >and slave and using newrole to change levels leaves the
> >slave and master at different levels.
> >
> >Its discussed in this thread:
> >https://www.redhat.com/archives/redhat-lspp/2007-January/msg00004.html
> >
> >If you don't want this behavior I think you can modify
> >/etc/selinux/mls/contexts/securetty_contexts and
> >add the pty selinux type, at least that's how I understand
> >the mail thread.  Haven't tried that myself though.
> >
> >-- ljk
> >
> >>
> >>Thanks
> >>Ted
> >>
> >>-- 
> >>redhat-lspp mailing list
> >>redhat-lspp at redhat.com
> >>https://www.redhat.com/mailman/listinfo/redhat-lspp
> >
> >
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp

More information about the redhat-lspp mailing list