| 1 |
>Login contexts are determined by the running policy, so login gets them |
| 2 |
>by requesting them through selinuxfs (/selinux). So to correctly login |
| 3 |
>locally you need: |
| 4 |
> |
| 5 |
>1. correctly setup policy |
| 6 |
>2. agetty is in getty_t |
| 7 |
>3. /bin/login is login_exec_t |
| 8 |
>4. selinuxfs is mounted |
| 9 |
> |
| 10 |
>These aren't all the requirements, but the ones that are needed to get |
| 11 |
>login contexts. ps -AZ and look at all the agetty's to make sure |
| 12 |
>they're all running in the right context (since sestatus only shows |
| 13 |
>one). But since your logged in the kernel_t context, and your |
| 14 |
>controlling term is wrong, you should probably restart, so everything |
| 15 |
>can get into the right context. |
| 16 |
> |
| 17 |
> |
| 18 |
|
| 19 |
Hmm, ok, this looks like the problem then. 2) agetty is running in |
| 20 |
system_u:system_r:kernel_t? Should that be happening? 1), 3) and 4) |
| 21 |
are fine |
| 22 |
|
| 23 |
Tested rebooting and I can log in then. However, the policy is clearly |
| 24 |
not auto loading, ps -AZ shows everything running as "kernel". cd |
| 25 |
/etc/blah/policy and doing make reload sets agetty back as described |
| 26 |
above and no more consoles can login... SSH into the machine doesn't |
| 27 |
work then either, with an error in syslog which looks like basically the |
| 28 |
same thing, no default security context found for user root... |
| 29 |
|
| 30 |
Before testing any of this I reloaded the security policy and re-applied |
| 31 |
it to the whole fs. Then rebooted. |
| 32 |
|
| 33 |
ls -AZ /sbin/agetty |
| 34 |
system_u:object_r:getty_exec_t |
| 35 |
|
| 36 |
Is this correct ^^^? I'm still not getting how it ends up with the |
| 37 |
context that it does, unless it simply inherits it from the fact that it |
| 38 |
was previously running as root? I can't see any reference to agetty in |
| 39 |
the policy dirs |
| 40 |
|
| 41 |
Thanks for any insight |
| 42 |
|
| 43 |
Ed W |
| 44 |
|
| 45 |
-- |
| 46 |
gentoo-hardened@g.o mailing list |
Archives