New prompt at login time

Tue Oct 25 20:31:30 UTC 2005

Allen, Jack wrote:
>
>         I have posted this on the redhat-list and the pam-list an no 
> one responded. So I am trying here. Hopefully someone will have 
> something to say that will help.
>
>         I ran up2date yesterday (now a few days ago) and have my 
> system completely up to
> date. I rebooted this morning (now a few days ago) and now when I 
> login via telnet, yes that
> is just plain old telnet, not ssh, I get the following:
>
Remove multiple for pam_selinux in /etc/pam.d/*
>
>
> ========
> Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
> Kernel 2.6.9-22.ELsmp on an i686
> login: jca
> Password:
> Your default context is user_u:system_r:unconfined_t.
> Do you want to choose a different one? [n]
> ========
> I just entered a CR and thought this would be a one time things. But it
> is not. While the prompt was being displayed I did a who and it does not
> show me logged in yet. I did a ps -ef | grep log and see a login process
> with the host name and -p option. So it appears the prompt is coming
> from the login program or its calls to some PAM routine.
> Does anybody know where this is controlled so I can set a
> default and not be prompted each time?
> Also exactly what is this controlling?
> If I do id, it shows context=user_u:system_r:unconfined_t
> Some things I have been able to find out and more questions.
> I did man -k context and discovered the get_default_context routine. Doing
> man get_default_context tells me about get_default_context_list
> get_ordered_context_list queries the SE Linux policy database in the
> kernel and some configuration files to determine an ordered list of
> contexts that may be used for login sessions. The list must be freed
> with freeconary. The possible roles and domains will be read from
> /etc/security/default_contexts and .default_contexts in the home
> directory of the user in question.
> My question now is what is the format of the files listed above?
> manual_user_enter_context allows the user to manually enter a context
> as a fallback if a list of authorized contexts could not be obtained.
> Caller must free via freecon.
> So I assume this is why I am getting prompted.
> I found default_contexts in /etc/selinux/targeted/contexts and it 
> contains:
> system_r:unconfined_t system_r:unconfined_t
> I also found that if I removed the multiple option for pam_selinux.so, 
> in remote located in /etc/pam.d, I do not get the prompt. So is this 
> the correct place to correct this? That is the next time I run up2date 
> and there is an update to remote is it going to get replaced and I 
> will have to remove it again? Or is there another place that controls 
> this that would be better to change.
>
> Thanks:
> Jack Allen
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--