system_u process does not have system_r
dE
de.techno at gmail.com
Sat May 24 03:23:45 UTC 2014
On 05/23/14 23:36, Daniel J Walsh wrote:
> You are not allowed to login as a system_u:system_r..., so the code
> tries to pick out something random.
> On 05/23/2014 11:48 AM, dE wrote:
>> I've mapped user 'de' to system_u --
>>
>> semanage login -l
>>
>> Login Name SELinux User MLS/MCS Range Service
>>
>> __default__ unconfined_u s0-s0:c0.c1023 *
>> de system_u s0-s0:c0.c1023 *
>> root unconfined_u s0-s0:c0.c1023 *
>> system_u system_u s0-s0:c0.c1023 *
>>
>> However the processes do not have system_r role, as a result the type
>> value of many context fail to set cause unconfined_r is not allowed
>> to have that type.
>>
>> ps auxZ | grep nano
>> system_u:unconfined_r:unconfined_t:s0 de 544 0.0 0.3 115024 1568
>> pts/1 S+ 22:11 0:00 nano
>> system_u:unconfined_r:unconfined_t:s0 root 611 0.0 0.1 112632 888
>> pts/0 S+ 22:14 0:00 grep --color=auto nano
>>
>> Actually unconfined_r role is not allowed for the user --
>>
>> seinfo -uuser_u -x
>> user_u
>> default level: s0
>> range: s0
>> roles:
>> object_r
>> user_r
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
You mean system_r cannot be assigned with login.
So it should work with systemd services. I'll try this out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140524/0e700234/attachment.html>
More information about the selinux
mailing list