[redhat-lspp] newrole error
Ted X Toth
txtoth at gmail.com
Tue Jan 16 19:43:24 UTC 2007
I added staff_devpts_t and sysadm_devpts_t to
/etc/selinux/mls/contexts/securetty_types and even rebooted but still am
getting the same error.
Ted
Klaus Weidner wrote:
> That's a usage we hadn't really considered since the configurations we're
> going for don't include a local X desktop. The same thing applies though;
> check what the type of the terminal device is that you're running on, and
> add that to the /etc/selinux/mls/contexts/securetty_types file :
>
> ls -Z `tty`
>
> I've added staff_devpts_t to the existing file contents to test this. If
> that file doesn't exist yet, get a newer policy from
> http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ or use the
> following contents:
>
> sysadm_tty_device_t
> user_tty_device_t
> staff_tty_device_t
> auditadm_tty_device_t
> secureadm_tty_device_t
>
> -Klaus
>
> On Mon, Jan 15, 2007 at 08:11:38PM -0600, Ted X Toth wrote:
>
>> Linda,
>> No I haven't ssh'd I'm running newrole from an xterm running locally.
>>
>> Ted
>>
>> Linda Knippers wrote:
>>
>>> Xavier Toth wrote:
>>>
>>>> I'm running the lspp 62 kernel and have install
>>>> policycoreutils-newrole-1.33.12-1.el5, selinux-policy-mls-2.4.6-27.el5
>>>> and other several rpms they require all of which came from Dan Walsh'
>>>> page. Now when I run newrole I get :
>>>> Error: you are not allowed to change levels on a non secure terminal
>>>>
>>>> Can anyone help me understand what the problem is and how I can fix it?
>>>>
>>> I assume you've ssh'd into the system rather than logging on
>>> at the console?
>>>
>>> This is new behavior in newrole to address bugzilla 200110.
>>> It prohibits level changes on ptys because there are no
>>> controls on the flow of information between the pty master
>>> and slave and using newrole to change levels leaves the
>>> slave and master at different levels.
>>>
>>> Its discussed in this thread:
>>> https://www.redhat.com/archives/redhat-lspp/2007-January/msg00004.html
>>>
>>> If you don't want this behavior I think you can modify
>>> /etc/selinux/mls/contexts/securetty_contexts and
>>> add the pty selinux type, at least that's how I understand
>>> the mail thread. Haven't tried that myself though.
>>>
>>> -- ljk
>>>
>>>
>>>> Thanks
>>>> Ted
>>>>
>>>> --
>>>> redhat-lspp mailing list
>>>> redhat-lspp at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/redhat-lspp
>>>>
>>>
>> --
>> redhat-lspp mailing list
>> redhat-lspp at redhat.com
>> https://www.redhat.com/mailman/listinfo/redhat-lspp
>>
>
>
More information about the redhat-lspp
mailing list