Re: [redhat-lspp] newrole error

Tue, 16 Jan 2007 11:43:34 -0800

I added staff_devpts_t and sysadm_devpts_t to /etc/selinux/mls/contexts/securetty_types and even rebooted but still am getting the same error. 

Ted


Klaus Weidner wrote:

That's a usage we hadn't really considered since the configurations we're
going for don't include a local X desktop. The same thing applies though;
check what the type of the terminal device is that you're running on, and
add that to the /etc/selinux/mls/contexts/securetty_types file :

        ls -Z `tty`

I've added staff_devpts_t to the existing file contents to test this. If
that file doesn't exist yet, get a newer policy from
http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ or use the
following contents:

        sysadm_tty_device_t
        user_tty_device_t
        staff_tty_device_t
        auditadm_tty_device_t
        secureadm_tty_device_t

-Klaus

On Mon, Jan 15, 2007 at 08:11:38PM -0600, Ted X Toth wrote:

Linda,
No I haven't ssh'd I'm running newrole from an xterm running locally.

Ted

Linda Knippers wrote:

Xavier Toth wrote:

I'm running the lspp 62 kernel and have install
policycoreutils-newrole-1.33.12-1.el5, selinux-policy-mls-2.4.6-27.el5
and other several rpms they require all of which came from Dan Walsh'
page. Now when I run newrole I get :
Error: you are not allowed to change levels on a non secure terminal

Can anyone help me understand what the problem is and how I can fix it?

I assume you've ssh'd into the system rather than logging on
at the console?

This is new behavior in newrole to address bugzilla 200110.
It prohibits level changes on ptys because there are no
controls on the flow of information between the pty master
and slave and using newrole to change levels leaves the
slave and master at different levels.

Its discussed in this thread:
https://www.redhat.com/archives/redhat-lspp/2007-January/msg00004.html

If you don't want this behavior I think you can modify
/etc/selinux/mls/contexts/securetty_contexts and
add the pty selinux type, at least that's how I understand
the mail thread.  Haven't tried that myself though.

-- ljk


Thanks
Ted

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp




--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to