Re: Text console not setting category

[Daniel J Walsh <dwalsh redhat com>]

Forrest Taylor wrote:
> On Thu, 2007-07-19 at 16:30 -0400, Daniel J Walsh wrote:
>   
> > Forrest Taylor wrote:
> >     
> > > On Thu, 2007-07-19 at 10:26 -0400, Daniel J Walsh wrote:
> > >   
> > >       
> > > > Forrest Taylor wrote:
> > > >     
> > > >         
> > > > > I have a user that has a category different than the default.  When I
> > > > > log in to the GUI or via ssh, the category is set.  However, when I
> > > > > login to the text console, the category is not set.  Is this a bug in
> > > > > login or do I have unreasonable expectations?
> > > > >
> > > > > # semanage translation -l 
> > > > > s0:c1     admin1
> > > > >
> > > > > # semanage login -l
> > > > > student   user_u    admin1
> > > > >
> > > > > Through ssh/GUI:
> > > > > $ id -Z
> > > > > user_u:system_r:unconfined_t:admin1
> > > > >
> > > > > Through text console:
> > > > > $ id -Z
> > > > > system_u:system_r:unconfined_t:SystemLow-SystemHigh
> > > > >
> > > > > Now that I write this, I notice that the user and role have changed as
> > > > > well.  I also notice this in the audit log:
> > > > >
> > > > > type=USER_ROLE_CHANGE msg=audit(1184777815.107:4063): user pid=5517
> > > > > uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> > > > > msg='pam: default-context=user_u:system_r:unconfined_t:s0:c1 selected-
> > > > > context=?: exe="/bin/login" (hostname=?, addr=?, terminal=tty1
> > > > > res=success)'
> > > > >
> > > > > This is running on RHEL 5.0.0 targeted policy.  Any clues?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Forrest
> > > > >   
> > > > > ------------------------------------------------------------------------
> > > > >
> > > > > --
> > > > > fedora-selinux-list mailing list
> > > > > fedora-selinux-list redhat com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > >       
> > > > >           
> > > > This looks like a bug.
> > > >
> > > >
> > > > But a lot of fixes were added for 5.1 for MLS policy and this might have 
> > > > been one of them.  Since this is pretty fundamental to mls.
> > > >
> > > > A prerelease of the mls packages is available at
> > > >
> > > > http://people.redhat.com/sgrubb/files/lspp/
> > > >     
> > > >         
> > > Yes, that fixed the problem.  I pointed yum to Steve's repo and
> > > installed all the updates.  Now I get this context:
> > >
> > > user_u:system_r:unconfined_t::admin1
> > >
> > > Interesting that it has :: before admin1.  I assume that this tells us
> > > that admin1 is defined as both a security level and a category.
> > > Although this doesn't hold true for root:
> > >
> > > root:system_r:unconfined_t:-SystemHigh
> > >
> > > Why does root have -SystemHigh (why the dash)?  Turning off mcstrans
> > > shows that it is s0-s0:c0.c1023, so how is that translated to -
> > > SystemHigh, and why doesn't it have :: ?
> > >
> > > Thanks,
> > >
> > > Forrest
> > >   
> > >       
> > This looks like a translation problem.   You have s0->""  So this is really
> >
> > s0:admin1
> > s0-SystemHigh
> >     
>
> True.  BTW, why isn't s0 defined by default?  Shouldn't it be SystemLow?
>
> Forrest
>   
Just saving terminal space.  Since 99.99 % of the people in the world do 
not use MCS/MLS.  We decided to translate
s0 == "" and save terminal/screen real estate.