From: Stephen Smalley <sds@tycho.nsa.gov>
To: Dominick Grift <dac.override@gmail.com>, selinux@tycho.nsa.gov
Subject: Re: strange pam_selinux behavior
Date: Wed, 23 Mar 2016 15:08:09 -0400 [thread overview]
Message-ID: <56F2E999.1070904@tycho.nsa.gov> (raw)
In-Reply-To: <56F2E276.9070702@gmail.com>
On 03/23/2016 02:37 PM, Dominick Grift wrote:
> On 03/23/2016 07:32 PM, Dominick Grift wrote:
>> On 03/23/2016 06:58 PM, Dominick Grift wrote: <snip>
>>> This seems to be the code:
>
>>>> /* we have to check that this user is allowed to go into the
>>>> range they have specified ... role is tied to an seuser, so
>>>> that'll be checked at setexeccon time */ if (mls_enabled &&
>>>> !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
>>>> pam_syslog(pamh, LOG_NOTICE, "Security context %s is not
>>>> allowed for %s", defaultcon, newcon);
>
>>>> goto fail_set;
>
>
>
>> This seems related:
>
>>> class = string_to_security_class("context"); if (!class) {
>>> pam_syslog(pamh, LOG_ERR, "Failed to translate security class
>>> context. %m"); return 0; }
>
>> since:
>
>> pam_selinux(sshd:session): Failed to translate security class
>> context. Invalid argument
>
>> What is a "security class context"?
>
>> Is it choking on the periods in my identifiers?
>
>
> oh sh.. now i get it. It is choking on the "context" security class.
>
> Yes i dont have that "user space" access vector because that seems to
> be no longer used.
>
> isnt the context security class a "setransd" thing? if so then i do
> not believe that setransd still uses that. So this should probably be
> adjusted then to not rely on that user space access vector?
I still see it in use in mcstrans
policycoreutils/mcstrans/src/mcscolor.c: security_class_t context_class
= string_to_security_class("context");
Whether or not it ought to be used by pam_selinux is a different question...
next prev parent reply other threads:[~2016-03-23 19:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-23 17:58 strange pam_selinux behavior Dominick Grift
2016-03-23 18:32 ` Dominick Grift
2016-03-23 18:37 ` Dominick Grift
2016-03-23 19:08 ` Stephen Smalley [this message]
2016-03-23 19:09 ` Dominick Grift
2016-03-23 19:41 ` Dominick Grift
2016-03-24 13:14 ` Miroslav Grepl
2016-03-24 13:24 ` Dominick Grift
2016-03-24 13:30 ` Miroslav Grepl
2016-03-24 14:01 ` Dominick Grift
2016-03-24 14:31 ` Dominick Grift
2016-03-24 20:42 ` Daniel J Walsh
2016-03-24 20:52 ` Dominick Grift
2016-03-25 16:02 ` Dominick Grift
2016-03-25 16:31 ` Stephen Smalley
2016-03-25 16:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56F2E999.1070904@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.