From: Dominick Grift <dac.override@gmail.com>
To: Daniel J Walsh <dwalsh@redhat.com>,
Miroslav Grepl <mgrepl@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov
Subject: Re: strange pam_selinux behavior
Date: Thu, 24 Mar 2016 21:52:22 +0100 [thread overview]
Message-ID: <56F45386.9020000@gmail.com> (raw)
In-Reply-To: <56F4512A.8080507@redhat.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/24/2016 09:42 PM, Daniel J Walsh wrote:
>
>>
> I think this check is checking contains.
>
> class context { translate contains }
>
>
>
> The idea was you could run a system that only went up to Secret
> level, then if a user attempted to login as TopSecret he would be
> blocked. I think that is what this check is all about.
>
>
>
Thanks, this fixed it!
However, i suspect though that all this stuff is broken. because like
i said i have been using mcstransd since recently and noticed that it
was not checking that access vector at all.
sds found some code in the mcstransd repository that indicates that it
is still is used. Maybe then something is broken? would be nice of
someone could confirm whether anything is actually checking this
access vector or not.
Also this unconditional dependency on a user space access vector is
kind of dubious to me. Would it be possible to do without it?
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW9FOBAAoJECV0jlU3+UdpPs4L/3yMMsragSJkF/rLTurmDH0F
+pSJY7f5hsvIt41I2nO1UE3XywIx1r7DtSBUenW3VO86ZwUfTAGcqOj2P2YzGRJy
Y7ZDDwVKXR0kKgqJrvPTTiWGRbYR4GX+mwa0OsS6mpnr8oJHA554zAqEcP77xWE+
EvmsObrYFrTRTIbhaK+qG96nRiSthxrZT/mAPz3aPlfOQ4EmVCsOwvepRQg6XbsF
XQArapj1gRiNFkXHvYrPeNjkUaflETZWoZTnuIBtBHLP5giSRGiwUqKkC9+tDoyJ
A15NuAWZCMD1PkVg8L9dyr4J8fahoK00WnoqqjdOnWDOPymjixW7HM2JvleigG85
vCDoqYYDdJi/2G6R8vJucNQzGS8eagi5zvuR2+nltm7/pSgn2ZyHY6IZwvjv0csS
m6asoTIOPoX7HhIZX78KR2ZijrhsLyd63TFc38YnnDDML81Gwg/7DS+SAthX6wzO
dXVCIIUIHQmIa/lVnYj/p57gw5qWfSo1+qldlUdxng==
=nVaV
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2016-03-24 20:52 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-23 17:58 strange pam_selinux behavior Dominick Grift
2016-03-23 18:32 ` Dominick Grift
2016-03-23 18:37 ` Dominick Grift
2016-03-23 19:08 ` Stephen Smalley
2016-03-23 19:09 ` Dominick Grift
2016-03-23 19:41 ` Dominick Grift
2016-03-24 13:14 ` Miroslav Grepl
2016-03-24 13:24 ` Dominick Grift
2016-03-24 13:30 ` Miroslav Grepl
2016-03-24 14:01 ` Dominick Grift
2016-03-24 14:31 ` Dominick Grift
2016-03-24 20:42 ` Daniel J Walsh
2016-03-24 20:52 ` Dominick Grift [this message]
2016-03-25 16:02 ` Dominick Grift
2016-03-25 16:31 ` Stephen Smalley
2016-03-25 16:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56F45386.9020000@gmail.com \
--to=dac.override@gmail.com \
--cc=dwalsh@redhat.com \
--cc=mgrepl@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.