[redhat-lspp] Problem SSH-ing into LSPP system with multiple categories
Klaus Weidner
klaus at atsec.com
Mon Jan 29 17:42:15 UTC 2007
On Fri, Jan 26, 2007 at 12:54:44PM -0800, Kylene Jo Hall wrote:
> More test data:
>
> ssh testuer/user_r/s#:c0,c1 at localhost works for every value of # between
> 0 and 15 except 2.
I can reproduce this, and it appears to be related to label translations.
This is in the /etc/selinux/mls/setrans.conf file:
# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B
Commenting out these entries makes login work again.
Failed login:
type=USER_ROLE_CHANGE msg=audit(1170092360.977:951): user pid=2498 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd: default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023 selected-context=staff_u:staff_r:staff_t:Secret:A,B: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=failed)'
Successful login (translation commented out):
type=USER_ROLE_CHANGE msg=audit(1170092403.742:991): user pid=2553 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='sshd: default-context=staff_u:staff_r:staff_t:s0-s15:c0.c1023 selected-context=staff_u:staff_r:staff_t:s2:c0,c1: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=success)'
Is "Secret:A,B" correct syntax?
-Klaus
More information about the redhat-lspp
mailing list