From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: strange pam_selinux behavior
Date: Wed, 23 Mar 2016 19:37:42 +0100 [thread overview]
Message-ID: <56F2E276.9070702@gmail.com> (raw)
In-Reply-To: <56F2E136.6090304@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/23/2016 07:32 PM, Dominick Grift wrote:
> On 03/23/2016 06:58 PM, Dominick Grift wrote: <snip>
>> This seems to be the code:
>
>>> /* we have to check that this user is allowed to go into the
>>> range they have specified ... role is tied to an seuser, so
>>> that'll be checked at setexeccon time */ if (mls_enabled &&
>>> !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
>>> pam_syslog(pamh, LOG_NOTICE, "Security context %s is not
>>> allowed for %s", defaultcon, newcon);
>
>>> goto fail_set;
>
>
>
> This seems related:
>
>> class = string_to_security_class("context"); if (!class) {
>> pam_syslog(pamh, LOG_ERR, "Failed to translate security class
>> context. %m"); return 0; }
>
> since:
>
> pam_selinux(sshd:session): Failed to translate security class
> context. Invalid argument
>
> What is a "security class context"?
>
> Is it choking on the periods in my identifiers?
>
oh sh.. now i get it. It is choking on the "context" security class.
Yes i dont have that "user space" access vector because that seems to
be no longer used.
isnt the context security class a "setransd" thing? if so then i do
not believe that setransd still uses that. So this should probably be
adjusted then to not rely on that user space access vector?
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW8uJxAAoJECV0jlU3+UdpfKUL/3NL9x8SmNR1RkikgOrv/ATY
gm0ZVACiObMmUoPLaqdl8F5zPUrT31JMv/OAsJcRgtl1QADTpPM+pTmGMzKsoqKE
5aF3QjZ3yhtrhTUsgGGhYQwumdzz9YBnqlHHT8UTz+GPAKDrhgIrQuK83fcN3dpG
02r6CaflD+1WK/5HTj0mzxg02EzdiJ0QSIAoJRcEy41hUuGb3Xfp9RopFJZvtFgi
ZpB+wwGQTveDTUO+Xp5xzg3YAQIwBXY3yKrb+Bg5sumz+QSyf2d/m2DxO29FxXth
tzsBcez8+VZ1K9wTVv03JCIg/JagoqcWu2zOdOM5pXCCy+px+rrbwISy6cHAGK4V
r2fro2Bisuz0ZSiKRYe/19RQ6SpB35ZG/0DpJH3fdLnZfZk/UqTIOrnn31P4rfLL
lA0pjtafrResaJmPUo8NPDXIQTU6PlCpFg8P30iW89d86aWZnH2F86Gpqk2uAzaP
sJIW5jf+XmFy9U2h6lf8CrxGM3tx0nQlBSAlP5vvZg==
=biHz
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2016-03-23 18:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-23 17:58 strange pam_selinux behavior Dominick Grift
2016-03-23 18:32 ` Dominick Grift
2016-03-23 18:37 ` Dominick Grift [this message]
2016-03-23 19:08 ` Stephen Smalley
2016-03-23 19:09 ` Dominick Grift
2016-03-23 19:41 ` Dominick Grift
2016-03-24 13:14 ` Miroslav Grepl
2016-03-24 13:24 ` Dominick Grift
2016-03-24 13:30 ` Miroslav Grepl
2016-03-24 14:01 ` Dominick Grift
2016-03-24 14:31 ` Dominick Grift
2016-03-24 20:42 ` Daniel J Walsh
2016-03-24 20:52 ` Dominick Grift
2016-03-25 16:02 ` Dominick Grift
2016-03-25 16:31 ` Stephen Smalley
2016-03-25 16:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56F2E276.9070702@gmail.com \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.