[refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned

Justin P. Mattock justinmattock at yahoo.com
Fri Sep 16 11:24:39 CDT 2011


On 09/16/2011 09:02 AM, Guido Trentalancia wrote:
> On Fri, 2011-09-16 at 08:22 -0700, Justin P. Mattock wrote:
>> On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
>>> ps -eZ |grep sshd
>> I dont have sshd running, but here is ps auxZ to give you an idea of
>> what I am seeing:
>> http://fpaste.org/u6IB/
> Graphical environment is not running in the proper context.
>
> Not even init has transitioned properly to its own context.
>
>> if I adjust /etc/pam.d/login and add select_context to pam_selinux.so
>> then do init 3 in lilo I am able to have the context
>> justin:staff_r:staff_t:s0  the way it should. but as soon as I init 5
>> gdm starts up, and everything goes back to name:staff_r:insmod_t:s0
>>
>> I think I am either missing a boolean to have the transisiton runing
> Why don't you post the booleans that you're using then:
>
> getsebool -a
>
> For example, what are you using for init ? If you're using upstart, have
> you set init_upstart=on ?
>
>> properly, and/or pam.d or some config file somewhere needs to be adjusted.
>> keep in mind refpolicy has no patches added to it(not sure if I need any
>> for systemd), just plain git pull  etc...
> So are you using systemd for init ? There is a boolean called
> init_systemd which possibly is similar to the above mentioned one for
> upstart.
>
> Start from tackling init running in the kernel context and not
> transitioning to init_t. The rest might be mostly due to that: personal
> experience.
>
>> Justin P. Mattock
> Guido
>

looking more into fedora(s) structure of what they have:
/sbin/init -> ../bin/systemd

  ls -lZ /sbin/init
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/init -> 
../bin/systemd
[justin at Linux-2 ~]$ ls -lZ /bin/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /bin/systemd

using chcon on:
chcon system_u:object_r:init_exec_t:s0 /sbin/init
seems to not change this for whatever the reason. keep in mind I am not 
sure how systemd runs or is setup.

Justin P. Mattock


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110916/705b9953/attachment.html 


More information about the refpolicy mailing list