Ubuntu
refpolicy package

the security context for the normal login shell is incorrect

Bug #192983 reported by Florin Iucha
2
Affects Status Importance Assigned to Milestone
refpolicy (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I have installed a Ubuntu server using the latest snapshot (2008-02-17) and added the ubuntu-hardened archive. Upon reboot and re-labeling, selinux is enabled, but the security context for the login shell is wrong:

unconfined_u:unconfined_r:update_modules_t florin 21806 0.0 0.0 19332 2224 pts/2 Ss 11:21 0:00 -bash
unconfined_u:unconfined_r:update_modules_t florin 22077 0.0 0.0 15064 1080 pts/2 R+ 11:21 0:00 ps auxZ
unconfined_u:unconfined_r:update_modules_t florin 22079 0.0 0.0 5164 848 pts/2 S+ 11:21 0:00 grep florin

Here is the context from a Centos 5.1 session:

user_u:system_r:unconfined_t florin 6737 0.0 0.0 4504 1432 pts/0 Ss 09:58 0:00 -bash
user_u:system_r:unconfined_t florin 7042 0.0 0.0 4632 1460 pts/4 Ss 11:10 0:00 /bin/bash
user_u:system_r:unconfined_t florin 7377 0.0 0.0 4600 1020 pts/7 R+ 12:33 0:00 ps auxZ
user_u:system_r:unconfined_t florin 7378 0.0 0.0 3896 660 pts/7 S+ 12:33 0:00 grep florin

Revision history for this message
Caleb Case (calebcase) wrote :

I wasn't able to verify this bug. Can you verify that it exits in with the newest package?

Revision history for this message
Florin Iucha (florin-iucha) wrote :

The system is up-to-date as of this morning.

florin@gaia $ ps xZ
LABEL PID TTY STAT TIME COMMAND
unconfined_u:unconfined_r:update_modules_t 21057 ? S 0:00 sshd: florin@pts/0
unconfined_u:unconfined_r:update_modules_t 21059 pts/0 Ss 0:00 -bash
unconfined_u:unconfined_r:update_modules_t 21946 ? S 0:00 sshd: florin@pts/1
unconfined_u:unconfined_r:update_modules_t 21947 pts/1 Ss+ 0:00 -bash
unconfined_u:unconfined_r:update_modules_t 23156 ? R 0:00 sshd: florin@pts/2
unconfined_u:unconfined_r:update_modules_t 23157 pts/2 Ss 0:00 -bash
unconfined_u:unconfined_r:update_modules_t 23168 pts/2 R+ 0:00 ps xZ
florin@gaia $ id -Z
unconfined_u:unconfined_r:update_modules_t
florin@gaia $ ls -lZ /home/ | grep florin
drwx------+ 122 florin florin unconfined_u:object_r:unconfined_home_dir_t 8192 2008-03-26 08:57 florin

Revision history for this message
Caleb Case (calebcase) wrote : Re: [Bug 192983] Re: the security context for the normal login shell is incorrect

On Wed, Mar 26, 2008 at 3:55 PM, Florin Iucha <email address hidden> wrote:
> The system is up-to-date as of this morning.

Are you using the packages from the hardened ppa? These packages would
be out of date with the packages in the main hardy repo.

>
> florin@gaia $ ps xZ
> LABEL PID TTY STAT TIME COMMAND
> unconfined_u:unconfined_r:update_modules_t 21057 ? S 0:00 sshd: florin@pts/0
> unconfined_u:unconfined_r:update_modules_t 21059 pts/0 Ss 0:00 -bash
> unconfined_u:unconfined_r:update_modules_t 21946 ? S 0:00 sshd: florin@pts/1
> unconfined_u:unconfined_r:update_modules_t 21947 pts/1 Ss+ 0:00 -bash
> unconfined_u:unconfined_r:update_modules_t 23156 ? R 0:00 sshd: florin@pts/2
> unconfined_u:unconfined_r:update_modules_t 23157 pts/2 Ss 0:00 -bash
> unconfined_u:unconfined_r:update_modules_t 23168 pts/2 R+ 0:00 ps xZ
> florin@gaia $ id -Z
> unconfined_u:unconfined_r:update_modules_t
> florin@gaia $ ls -lZ /home/ | grep florin
> drwx------+ 122 florin florin unconfined_u:object_r:unconfined_home_dir_t 8192 2008-03-26 08:57 florin
>
>
>
> --
> the security context for the normal login shell is incorrect
> https://bugs.launchpad.net/bugs/192983
> You received this bug notification because you are subscribed to
> refpolicy in ubuntu.
>

Revision history for this message
Florin Iucha (florin-iucha) wrote :

Yes, I am using the packages from the ppa. Let me try with the packages from the main hardy repository.

Revision history for this message
Florin Iucha (florin-iucha) wrote :

How can I 'downgrade' from the ppa archive to the main repo? I have commented out the ppa entry in /etc/apt/sources.list, then ran "apt-get update; apt-get upgrade" but nothing new came out. How can I purge the ppa from the apt cache?

Revision history for this message
Caleb Case (calebcase) wrote :

I believe that 'apt-get autoclean' will do it.

Revision history for this message
Laurent Bigonville (bigon) wrote :

This should have been fixed for a long time now

Changed in refpolicy (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.