I've been working on a fedora livecd that runs the mls policy. When I login as root via ssh
[root@livecd ~]# id -Z root:staff_r:staff_t:SystemLow-SystemHigh
but if I login via the console
[root@livecd ~]# id -Z system_u:system_r:local_login_t:SystemLow-SystemHigh
I'm not transitioning into the correct role/type on a console login. Any pointers on where to look/what I forgot to create would be appreciated.
joe
ls -Z `tty` crw--w---- root tty system_u:object_r:tty_device_t:SystemLow /dev/tty4
Audit from a login local login:
type=USER_AUTH msg=audit(1172236367.222:134): user pid=2395 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM: authentication acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_ACCT msg=audit(1172236367.222:135): user pid=2395 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM: accounting acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=LOGIN msg=audit(1172236367.228:136): login pid=2395 uid=0 old auid=4294967295 new auid=0 type=USER_ROLE_CHANGE msg=audit(1172236367.246:137): user pid=2395 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='pam: default-context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 selected-context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_START msg=audit(1172236367.246:138): user pid=2395 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='PAM: session open acct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_LOGIN msg=audit(1172236367.248:140): user pid=2395 uid=0 auid=0 subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 msg='uid=0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'type=AVC msg=audit(1172236367.248:141): avc: denied { execute_no_trans } for pid=2401 comm="login" name="bash" dev=dm-0 ino=32771 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=filetype=SYSCALL msg=audit(1172236367.248:141): arch=40000003 syscall=11 success=yes exit=0 a0=91d56d0 a1=bfde41c0 a2=91d7978 a3=804d2e8 items=0 ppid=2395 pid=2401 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="bash" exe="/bin/bash" subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1172236367.248:141): path="/bin/bash" type=AVC msg=audit(1172236367.301:142): avc: denied { execute } for pid=2411 comm="bash" name="hostname" dev=dm-0 ino=32832 scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1172236367.301:142): avc: denied { execute_no_trans } for pid=2411 comm="bash" name="hostname" dev=dm-0 ino=32832 scontext=system_u:system_r:local_login_t:s0- s15:c0.c1023 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
sestatus -v
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: mls
Process contexts: Current context: system_u:system_r:local_login_t:SystemLow-SystemHigh Init context: system_u:system_r:init_t:SystemLow- SystemHigh /sbin/mingetty system_u:system_r:getty_t:SystemLow- SystemHigh /usr/sbin/sshd system_u:system_r:sshd_t:SystemLow- SystemHigh
File contexts: Controlling term: system_u:object_r:tty_device_t:SystemLow /etc/passwd system_u:object_r:etc_t:SystemLow /etc/shadow system_u:object_r:shadow_t:SystemLow /bin/bash system_u:object_r:shell_exec_t:SystemLow /bin/login system_u:object_r:login_exec_t:SystemLow /bin/sh system_u:object_r:bin_t:SystemLow -> system_u:object_r:shell_exec_t:SystemLow /sbin/agetty system_u:object_r:getty_exec_t:SystemLow /sbin/init system_u:object_r:init_exec_t:SystemLow /sbin/mingetty system_u:object_r:getty_exec_t:SystemLow /usr/sbin/sshd system_u:object_r:sshd_exec_t:SystemLow /lib/libc.so.6 system_u:object_r:lib_t:SystemLow -> system_u:object_r:shlib_t:SystemLow /lib/ld-linux.so.2 system_u:object_r:lib_t:SystemLow -> system_u:object_r:ld_so_t:SystemLow
On Fri, 2007-02-23 at 13:50 -0600, Joe Nall wrote:
I've been working on a fedora livecd that runs the mls policy. When I login as root via ssh
[root@livecd ~]# id -Z root:staff_r:staff_t:SystemLow-SystemHigh
but if I login via the console
[root@livecd ~]# id -Z system_u:system_r:local_login_t:SystemLow-SystemHigh
I'm not transitioning into the correct role/type on a console login. Any pointers on where to look/what I forgot to create would be appreciated.
Bug in pam_selinux - look for an update in rawhide and fc6. Only affects logins that use pam_selinux, so ssh and gdm are ok.
On Feb 23, 2007, at 1:49 PM, Stephen Smalley wrote:
I'm not transitioning into the correct role/type on a console login. Any pointers on where to look/what I forgot to create would be appreciated.
Bug in pam_selinux - look for an update in rawhide and fc6. Only affects logins that use pam_selinux, so ssh and gdm are ok.
That was it. Thanks.
joe
selinux@lists.fedoraproject.org