Michael C Thompson wrote:
Chad Hanson wrote:
I think it is related to auditadm_r. If you just change the auditadm
role,
you cannot change to levels from SystemLow to SystemHigh either.
Yes, you seem to be right. I can do the SystemHigh -> SystemLow
transition with sysadm_r and secadm_r...
Still, the question stands should auditadm_r be able to do the
High->Low change?
And the error message is still horribly wrong, and should be filed as
a bug I guess...
The problem is that auditadm is not allowed to run unix_chkpwd so you
are failing to verify the passwd, so you are getting the invalid
password error.
There is a bug in policy, that I will fix right away.
-Chad
-----Original Message-----
From: Michael C Thompson [mailto:[EMAIL PROTECTED]
Sent: Friday, May 12, 2006 12:42 PM
To: [email protected]
Subject: [redhat-lspp] newrole SystemHigh -> newrole SystemLow --
permitted?
Hey all,
Currently, I can't seem to be able to transition to SystemHigh then
from the SystemHigh shell, transition to SystemLow again.
I have done the following:
newrole -r auditadm_r -l SystemHigh
<password>
<new shell>
newrole -l SystemLow
<password>
Error: incorrect password for root
The password used is indeed the correct password. Regardless of this
being an error in the policy, this sounds like a bug for the
reporting of the reason for denial. I imagine it should say
something about an invalid context change, if indeed that is what is
happening.
Is the policy supposed to permit an elevation of privilages (in
terms of MLS), and then from that elevated shell, spawn a new lesser
privilaged shell?
Mike
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
