From: harrytaurus2002@hotmail.com (TaurusHarry) Date: Wed, 12 Aug 2009 09:26:02 +0000 Subject: [refpolicy] Questions about the staff_u user in refpolicy-20081210 Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi all, I've got some more questions about refpolicy-20081210 with MLS enabled, the machine is i686 32-bit and I am logging in through serial console which in turn is mapped to the system console. I have created a staff_u user named "harry" and set up his home directory properly, why /home/harry/ directory is labeled as "user_u" rather than "staff_u"? The more interesting thing is, I could log harry in by ssh either from localhost or from another remote machine, harry could log in with the "staff_u:staff_r:staff_t" context properly. However, I am unable to log in with harry locally at the login prompt with the default staff_r role, the mingetty program seems to have exited abnormally, but the screen has flashed too quickly to catch up any error messages. BTW, unprivileged user mapped to user_u could log in with default user_u at the login prompt. Moreover, if harry picks up other roles than staff_r, say sysadm_r, then it can log in locally at the login prompt, and sysadm_r would fail to newrole to staff_r although newrole seems to have exited uneventfully. Details are logged below, any comments are greatly appreciated! Best regards, Harry --- 1, why /home/harry labeled as "user_u" rather than "staff_u"? [root/sysadm_r/s0 at d610-2 ~]# tty /dev/console [root/sysadm_r/s0 at d610-2 ~]# ls -Z `tty` crw--w---- root tty root:object_r:console_device_t:s0 /dev/console [root/sysadm_r/s0 at d610-2 ~]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 harry staff_u s0-s15:c0.c255 root root s0-s15:c0.c255 system_u system_u s0-s15:c0.c255 [root/sysadm_r/s0 at d610-2 ~]# ssh harry at localhost Password: Last login: Wed Aug 12 20:23:00 2009 from localhost harry at d610-2:~$ id -Z staff_u:staff_r:staff_t:s0-s15:c0.c255 harry at d610-2:~$ ls -Z /home | grep harry drwxr-xr-x harry harry user_u:object_r:user_home_dir_t:s0-s15:c0.c255 harry harry at d610-2:~$ 2, why the staff user can't locally login with the default staff_r? d610-2 login: harry Password: Default Security Context staff_u:staff_r:staff_t:s0-s15:c0.c255 Would you like to enter a different role or level? [n] y role: [staff_r] sysadm_r level: [s0-s15:c0.c255] Last login: Wed Aug 12 23:54:24 on console harry at d610-2:~$ id -Z staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255 harry at d610-2:~$ newrole -r staff_r Password: # newrole didn't fail, but harry at d610-2:~$ id -Z # role remained as sysadm_r staff_u:sysadm_r:sysadm_t:s0-s15:c0.c255 harry at d610-2:~$ newrole -r secadm_r Password: harry at d610-2:~$ id -Z staff_u:secadm_r:secadm_t:s0-s15:c0.c255 harry at d610-2:~$ _________________________________________________________________ ???????,????????,??MClub???????????? http://club.msn.cn/?from=3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090812/443e4374/attachment.html