From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l4A9Xcmk009232 for ; Thu, 10 May 2007 05:33:38 -0400 Received: from nz-out-0506.google.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id l4A9XbYU015366 for ; Thu, 10 May 2007 09:33:37 GMT Received: by nz-out-0506.google.com with SMTP id n1so509681nzf for ; Thu, 10 May 2007 02:33:37 -0700 (PDT) Message-ID: <4642E6D4.2030006@gmail.com> Date: Thu, 10 May 2007 17:33:08 +0800 From: Ken YANG MIME-Version: 1.0 To: Stephen Smalley CC: JanuGerman , Karl MacMillan , SELinux List Subject: Re: cannot login using strict policy References: <706356.14667.qm@web86906.mail.ukl.yahoo.com> <1177515880.24282.223.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1177515880.24282.223.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain; charset=gb18030; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: > On Wed, 2007-04-25 at 15:31 +0000, JanuGerman wrote: >> Hi Karl, >> >> Thanks for the response. I have to reboot with 'selinux=0' in order to >> diagnose the type of .bash_profile. It is >> 'root:object_r:user_home_t:s0'. This seems to me a problem, like every >> time, i will have to reboot with selinux=0, in order to get the >> attributes of the file. Plus one question regarding the unconfined_t. >> Is unconfined_t is changed to confined_t in strict policy mode? > > You should just be able to boot with enforcing=0, not selinux=0. Or > even switch to permissive via setenforce 0 if you can login at least on > the console and newrole -r sysadm_r. > > Under strict policy, users run in confined domains like user_t and > staff_t, and the user must newrole -r sysadm_r to enter the admin role. > > The /root files should be labeled with sysadm_home_t, not user_home_t. > Look at /etc/selinux/strict/contexts/files/file_contexts.homedirs for > the /root entries. i also had the same error when switching from targeted to strict. i notice in avc that there are some deny errors: avc: denied { search } comm="gconfd-2" name="root" scontext=root:staff_r:staff_gconfd_t:s0-s0:c0.c1023 tcontext=root:object_r:sysadm_home_dir_t:s0 i guess that this error is relative to the "permission denied" of ".bash_profile" i find that "staff_gconfd_t" is generated by domain transition from "staff_t" to "staff_gconfd_t". (defined in gnome_per_role_template()) i wonder why "root" user role is staff_r when login through gdm, and is sysadm_r when login in 3 level(through mingetty) as stephen said, in strict policy, users should be run in user_t and staff_t, and the "local_login_t" line in "users/root" indicate the role of root is "sysadm_r", and the same line in "default_contexts" indicate that the role of user is staff_r. i am confused in above situations. what decide the role and domain of user (normal users and root)? > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.