|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
I'm in the process of writing a simple policy from scratch. Everything works as expected, except for logins. I have a user named tfm on my system. /etc/selinux/mypolicy/seusers looks like: tfm:tfm_u root:system_u In my policy I have a user tfm_u with roles tfm_r. tfm_r has several types, for example xserver_tfm_t. I also have a user system_u with role unconfined_r and type unconfined_t. Using runcon I can transition from system_u:unconfined_r:unconfined_t to tfm_u:tfm_r:xserver_tfm_t. I figured I have to tell the login programs which context to choose per default. My login programs run as system_u:unconfined_r:unconfined_t, so I added to /etc/selinux/mypolicy/contexts/default_contexts the line unconfined_r:unconfined_t tfm_r:xserver_tfm_t I also have in /etc/selinux/mypolicy/contexts/default_type unconfined_r:unconfined_t tfm_r:xserver_tfm_t I can login as root and have context system_u:unconfined_r:unconfined_t. I cannot login as tfm, because: pam_selinux(login:session): Unable to get valid context for tfm Apparently I am missing something, just can't find what. In general I find it difficult to find comprehensive documentation about the userland tools' interaction with the policy conifguration. On top of that error messages are often uninformative. (Random example: when the file /etc/selinux/mypolicy/contexts/files/file_contexts is missing, useradd without any output exits with return code 12. Which says 'cannot create homedir' but contains no clue about the reason for the failure.) So any hint on the above problem or hints on good places I could read up on the topic would be highly appreciated!
Description: Digital signature
[Fedora Users] [Fedora Legacy] [Fedora Desktop] [Yosemite Photos] [Yosemite News] [Yosemite Campsites] [KDE Users] [Gnome Users]