<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/23/14 23:36, Daniel J Walsh
wrote:<br>
</div>
<blockquote cite="mid:537F8E11.3080106@redhat.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
You are not allowed to login as a system_u:system_r..., so the
code tries to pick out something random. <br>
<div class="moz-cite-prefix">On 05/23/2014 11:48 AM, dE wrote:<br>
</div>
<blockquote cite="mid:537F6DBB.4000304@gmail.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div class="moz-text-flowed" style="font-family: -moz-fixed;
font-size: 12px;" lang="x-western">I've mapped user 'de' to
system_u -- <br>
<br>
semanage login -l <br>
<br>
Login Name SELinux User MLS/MCS Range
Service <br>
<br>
__default__ unconfined_u s0-s0:c0.c1023
* <br>
de system_u s0-s0:c0.c1023
* <br>
root unconfined_u s0-s0:c0.c1023
* <br>
system_u system_u s0-s0:c0.c1023
* <br>
<br>
However the processes do not have system_r role, as a result
the type value of many context fail to set cause unconfined_r
is not allowed to have that type. <br>
<br>
ps auxZ | grep nano <br>
system_u:unconfined_r:unconfined_t:s0 de 544 0.0 0.3
115024 1568 pts/1 S+ 22:11 0:00 nano <br>
system_u:unconfined_r:unconfined_t:s0 root 611 0.0 0.1
112632 888 pts/0 S+ 22:14 0:00 grep --color=auto nano <br>
<br>
Actually unconfined_r role is not allowed for the user -- <br>
<br>
seinfo -uuser_u -x <br>
user_u <br>
default level: s0 <br>
range: s0 <br>
roles: <br>
object_r <br>
user_r <br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
selinux mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:selinux@lists.fedoraproject.org">selinux@lists.fedoraproject.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/selinux">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</blockquote>
<br>
You mean system_r cannot be assigned with login.<br>
<br>
So it should work with systemd services. I'll try this out.<br>
</body>
</html>