Re: Possible bug in finding default context?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ole Kliemann <ole@plastictree.net>
To: selinux@tycho.nsa.gov
Subject: Re: Possible bug in finding default context?
Date: Fri, 10 Aug 2012 13:06:39 +0200	[thread overview]
Message-ID: <20120810110639.GD2296@telvanni> (raw)
In-Reply-To: <20120809174519.GE1643@telvanni>

[-- Attachment #1: Type: text/plain, Size: 1211 bytes --]

On Thu, Aug 09, 2012 at 07:45:19PM +0200, Ole Kliemann wrote:
> Sometime ago I posted about a problem I had when building a 
> monolithic policy. Login programs were unable to determine the 
> default context of users when logging in, although i was pretty 
> sure I did everything right. I never resolved that but didn't 
> bother either since I started writing a new modular policy from 
> scratch.
> 
> Everything worked flawlessly, including logins, until suddenly 
> now logins started to fail again with the login programs unable 
> to determine the context of the user.
>  
> Oh, what fresh hell is this?! So I started rolling back changes, 
> and it turns out if there are too many types associated with one 
> role and that role and one of its types is set as default context 
> for a user, /bin/login gives 'Unable to get valid context'.
> 
> BTW, the exact number seems 194. 194 types associated with one 
> role works. 195 and it's broken.
> 
> I'm doing this on Ubuntu 12.04, so it could be the crappily 
> maintained selinux userland here.
> 
> Ole

Workaround is to give each type his own role and then associate 
all the roles with the user. This way around it works.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

     prev parent reply	other threads:[~2012-08-10 11:07 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-09 17:45 Possible bug in finding default context? Ole Kliemann
2012-08-09 17:48 ` Stephen Smalley
2012-08-10  8:58   ` Ole Kliemann
2012-08-10 12:55     ` Stephen Smalley
2012-08-10  9:13 ` Russell Coker
2012-08-10 10:37   ` Ole Kliemann
2012-08-10 17:21     ` Ole Kliemann
2012-08-10 11:06 ` Ole Kliemann [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120810110639.GD2296@telvanni \
    --to=ole@plastictree.net \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.