Linda Knippers wrote:
When a regular user logs in to a system installed using our kickstart
scripts, the user gets this error:
-bash: /sbin/consoletype: Permission denied
This is because /etc/profile wants to run /etc/profile.d/lang.sh (in my
case) and lang.sh runs /sbin/consoletype.
Our kickstart script changes the mode on /sbin/consoletype to 0500 because
its one of the files that has "MLS overrides or other *_exec_t special
privileges".
I looked at the mls policy and it does have msl_file_read_up and
mls_file_write_down but I its not clear to me why. Perhaps Dan or
Chad can explain?
If the policy stays this way then I think we need to update the scripts
in profile.d to check for execute permission before running the command,
but I also wonder who else might be calling this program and could be
broken.
-- ljk
I think this is a mistake. consoletype should be able to be run by a
user in an unpriv manner.
Normal users do not transition to consoletype_t when they run it. Only
init scripts do. So being able to run consoletype should be allowed by
dac. Hostname, rpm and other tools have additional privs but when a
normal user runs them they do not transition.
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
