[refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned
guido at trentalancia.com
Fri Sep 16 11:30:14 CDT 2011
On Fri, 2011-09-16 at 09:24 -0700, Justin P. Mattock wrote:
> On 09/16/2011 09:02 AM, Guido Trentalancia wrote:
> > On Fri, 2011-09-16 at 08:22 -0700, Justin P. Mattock wrote:
> > > On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> > > > ps -eZ |grep sshd
> > > I dont have sshd running, but here is ps auxZ to give you an idea of
> > > what I am seeing:
> > > http://fpaste.org/u6IB/
> > Graphical environment is not running in the proper context.
> > Not even init has transitioned properly to its own context.
> > > if I adjust /etc/pam.d/login and add select_context to pam_selinux.so
> > > then do init 3 in lilo I am able to have the context
> > > justin:staff_r:staff_t:s0 the way it should. but as soon as I init 5
> > > gdm starts up, and everything goes back to name:staff_r:insmod_t:s0
> > >
> > > I think I am either missing a boolean to have the transisiton runing
> > Why don't you post the booleans that you're using then:
> > getsebool -a
> > For example, what are you using for init ? If you're using upstart, have
> > you set init_upstart=on ?
> > > properly, and/or pam.d or some config file somewhere needs to be adjusted.
> > > keep in mind refpolicy has no patches added to it(not sure if I need any
> > > for systemd), just plain git pull etc...
> > So are you using systemd for init ? There is a boolean called
> > init_systemd which possibly is similar to the above mentioned one for
> > upstart.
> > Start from tackling init running in the kernel context and not
> > transitioning to init_t. The rest might be mostly due to that: personal
> > experience.
> > > Justin P. Mattock
> > Guido
> looking more into fedora(s) structure of what they have:
> /sbin/init -> ../bin/systemd
> ls -lZ /sbin/init
> lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /sbin/init
> -> ../bin/systemd
> [justin at Linux-2 ~]$ ls -lZ /bin/systemd
> -rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /bin/systemd
> using chcon on:
> chcon system_u:object_r:init_exec_t:s0 /sbin/init
> seems to not change this for whatever the reason.
That's just the link, don't worry about that. The important is the label
on the target.
> keep in mind I am not sure how systemd runs or is setup.
Now move onto the next enabler:
setsebool -P init_systemd=on
In my previous message I did forget the "-P" option, that's vital.
> Justin P. Mattock
More information about the refpolicy