selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: RE: Security Context Type Changes

RE: Security Context Type Changes

From: Tomas, Gregg A (IS) <Gregg.Tomas_at_nospam>
Date: Wed Jan 20 2010 - 16:50:58 GMT
To: "Stephen Smalley" <sds@tycho.nsa.gov>


Stephen,

That is correct, we are not executing anything that would set up a user context. Nothing in our code or our policy would change the context. In RHEL4, root and any other users have a security context type of unconfined_t so we would it expect it to be the same on RHEL5 but they are init_t. Perhaps, something changed with RHEL5 release that I need to research.

Thanks,

Gregg

-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, January 19, 2010 1:27 PM
To: Tomas, Gregg A (IS)
Cc: selinux@tycho.nsa.gov
Subject: RE: Security Context Type Changes

On Tue, 2010-01-19 at 15:15 -0600, Tomas, Gregg A (IS) wrote:
> Stephen,
>
> I apologize for my lack promptness, I have been in and out of the
> office. We are in the middle of transitioning from RHEL4 to RHEL5 so
> some of the links maybe off. Anyhow, here is our run_xstart.bash
script:
>



> ========================

<snip>
> # Start window manager for primary display #
> exec /usr/bin/fvwm -display $DISPLAY1 \
> -cmd "Read /h/ProjectX/config_values/system.fvwmrc"
>
>


> ===============

So why would you expect that to transition out of init_t? Unless you've specifically labeled /usr/bin/fvwm with an entrypoint type and defined a type transition on it, you'll just continue in init_t.

You aren't executing anything that would set up a user context, e.g. gdm or friends.   -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.