[redhat-lspp] newrole error

Ted X Toth txtoth at gmail.com
Tue Jan 16 19:43:24 UTC 2007 

I added staff_devpts_t and  sysadm_devpts_t to 
/etc/selinux/mls/contexts/securetty_types and even rebooted but still am 
getting the same error.

Ted


Klaus Weidner wrote:
> That's a usage we hadn't really considered since the configurations we're
> going for don't include a local X desktop. The same thing applies though;
> check what the type of the terminal device is that you're running on, and
> add that to the /etc/selinux/mls/contexts/securetty_types file :
>
> 	ls -Z `tty`
>
> I've added staff_devpts_t to the existing file contents to test this. If
> that file doesn't exist yet, get a newer policy from
> http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ or use the
> following contents:
>
> 	sysadm_tty_device_t
> 	user_tty_device_t
> 	staff_tty_device_t
> 	auditadm_tty_device_t
> 	secureadm_tty_device_t
>
> -Klaus
>
> On Mon, Jan 15, 2007 at 08:11:38PM -0600, Ted X Toth wrote:
>   
>> Linda,
>> No I haven't ssh'd I'm running newrole from an xterm running locally.
>>
>> Ted
>>
>> Linda Knippers wrote:
>>     
>>> Xavier Toth wrote:
>>>       
>>>> I'm running the lspp 62 kernel and have install
>>>> policycoreutils-newrole-1.33.12-1.el5, selinux-policy-mls-2.4.6-27.el5
>>>> and other several rpms they require all of which came from Dan Walsh'
>>>> page. Now when I run newrole I get :
>>>> Error: you are not allowed to change levels on a non secure terminal
>>>>
>>>> Can anyone help me understand what the problem is and how I can fix it?
>>>>         
>>> I assume you've ssh'd into the system rather than logging on
>>> at the console?
>>>
>>> This is new behavior in newrole to address bugzilla 200110.
>>> It prohibits level changes on ptys because there are no
>>> controls on the flow of information between the pty master
>>> and slave and using newrole to change levels leaves the
>>> slave and master at different levels.
>>>
>>> Its discussed in this thread:
>>> https://www.redhat.com/archives/redhat-lspp/2007-January/msg00004.html
>>>
>>> If you don't want this behavior I think you can modify
>>> /etc/selinux/mls/contexts/securetty_contexts and
>>> add the pty selinux type, at least that's how I understand
>>> the mail thread.  Haven't tried that myself though.
>>>
>>> -- ljk
>>>
>>>       
>>>> Thanks
>>>> Ted
>>>>
>>>> -- 
>>>> redhat-lspp mailing list
>>>> redhat-lspp at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/redhat-lspp
>>>>         
>>>       
>> --
>> redhat-lspp mailing list
>> redhat-lspp at redhat.com
>> https://www.redhat.com/mailman/listinfo/redhat-lspp
>>     
>
>

More information about the redhat-lspp mailing list