1 |
>Login contexts are determined by the running policy, so login gets them |
2 |
>by requesting them through selinuxfs (/selinux). So to correctly login |
3 |
>locally you need: |
4 |
> |
5 |
>1. correctly setup policy |
6 |
>2. agetty is in getty_t |
7 |
>3. /bin/login is login_exec_t |
8 |
>4. selinuxfs is mounted |
9 |
> |
10 |
>These aren't all the requirements, but the ones that are needed to get |
11 |
>login contexts. ps -AZ and look at all the agetty's to make sure |
12 |
>they're all running in the right context (since sestatus only shows |
13 |
>one). But since your logged in the kernel_t context, and your |
14 |
>controlling term is wrong, you should probably restart, so everything |
15 |
>can get into the right context. |
16 |
> |
17 |
> |
18 |
|
19 |
Hmm, ok, this looks like the problem then. 2) agetty is running in |
20 |
system_u:system_r:kernel_t? Should that be happening? 1), 3) and 4) |
21 |
are fine |
22 |
|
23 |
Tested rebooting and I can log in then. However, the policy is clearly |
24 |
not auto loading, ps -AZ shows everything running as "kernel". cd |
25 |
/etc/blah/policy and doing make reload sets agetty back as described |
26 |
above and no more consoles can login... SSH into the machine doesn't |
27 |
work then either, with an error in syslog which looks like basically the |
28 |
same thing, no default security context found for user root... |
29 |
|
30 |
Before testing any of this I reloaded the security policy and re-applied |
31 |
it to the whole fs. Then rebooted. |
32 |
|
33 |
ls -AZ /sbin/agetty |
34 |
system_u:object_r:getty_exec_t |
35 |
|
36 |
Is this correct ^^^? I'm still not getting how it ends up with the |
37 |
context that it does, unless it simply inherits it from the fact that it |
38 |
was previously running as root? I can't see any reference to agetty in |
39 |
the policy dirs |
40 |
|
41 |
Thanks for any insight |
42 |
|
43 |
Ed W |
44 |
|
45 |
-- |
46 |
gentoo-hardened@g.o mailing list |