
<html>

  <head>

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">On 05/23/14 23:36, Daniel J Walsh

      wrote:<br>

    </div>

    <blockquote cite="mid:537F8E11.3080106@redhat.com" type="cite">

      <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

      You are not allowed to login as a system_u:system_r..., so the

      code tries to pick out something random.  <br>

      <div class="moz-cite-prefix">On 05/23/2014 11:48 AM, dE wrote:<br>

      </div>

      <blockquote cite="mid:537F6DBB.4000304@gmail.com" type="cite">

        <meta http-equiv="content-type" content="text/html;

          charset=UTF-8">

        <div class="moz-text-flowed" style="font-family: -moz-fixed;

          font-size: 12px;" lang="x-western">I've mapped user 'de' to

          system_u -- <br>

          <br>

          semanage login -l <br>

          <br>

          Login Name           SELinux User         MLS/MCS Range

          Service <br>

          <br>

          __default__          unconfined_u         s0-s0:c0.c1023      

          * <br>

          de                   system_u             s0-s0:c0.c1023      

          * <br>

          root                 unconfined_u         s0-s0:c0.c1023      

          * <br>

          system_u             system_u             s0-s0:c0.c1023      

          * <br>

          <br>

          However the processes do not have system_r role, as a result

          the type value of many context fail to set cause unconfined_r

          is not allowed to have that type. <br>

          <br>

          ps auxZ | grep nano <br>

          system_u:unconfined_r:unconfined_t:s0 de   544  0.0  0.3

          115024 1568 pts/1    S+   22:11   0:00 nano <br>

          system_u:unconfined_r:unconfined_t:s0 root 611  0.0  0.1

          112632 888 pts/0    S+   22:14   0:00 grep --color=auto nano <br>

          <br>

          Actually unconfined_r role is not allowed for the user -- <br>

          <br>

          seinfo -uuser_u -x <br>

             user_u <br>

                default level: s0 <br>

                range: s0 <br>

                roles: <br>

                   object_r <br>

                   user_r <br>

        </div>

        <br>

        <fieldset class="mimeAttachmentHeader"></fieldset>

        <br>

        <pre wrap="">--

selinux mailing list

<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>

<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>

      </blockquote>

      <br>

    </blockquote>

    <br>

    You mean system_r cannot be assigned with login.<br>

    <br>

    So it should work with systemd services. I'll try this out.<br>

  </body>

</html>