I've mapped user 'de' to system_u --
semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 * de system_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
However the processes do not have system_r role, as a result the type value of many context fail to set cause unconfined_r is not allowed to have that type.
ps auxZ | grep nano system_u:unconfined_r:unconfined_t:s0 de 544 0.0 0.3 115024 1568 pts/1 S+ 22:11 0:00 nano system_u:unconfined_r:unconfined_t:s0 root 611 0.0 0.1 112632 888 pts/0 S+ 22:14 0:00 grep --color=auto nano
Actually unconfined_r role is not allowed for the user --
seinfo -uuser_u -x user_u default level: s0 range: s0 roles: object_r user_r
You are not allowed to login as a system_u:system_r..., so the code tries to pick out something random. On 05/23/2014 11:48 AM, dE wrote:
I've mapped user 'de' to system_u --
semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 * de system_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
However the processes do not have system_r role, as a result the type value of many context fail to set cause unconfined_r is not allowed to have that type.
ps auxZ | grep nano system_u:unconfined_r:unconfined_t:s0 de 544 0.0 0.3 115024 1568 pts/1 S+ 22:11 0:00 nano system_u:unconfined_r:unconfined_t:s0 root 611 0.0 0.1 112632 888 pts/0 S+ 22:14 0:00 grep --color=auto nano
Actually unconfined_r role is not allowed for the user --
seinfo -uuser_u -x user_u default level: s0 range: s0 roles: object_r user_r
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 05/23/14 23:36, Daniel J Walsh wrote:
You are not allowed to login as a system_u:system_r..., so the code tries to pick out something random. On 05/23/2014 11:48 AM, dE wrote:
I've mapped user 'de' to system_u --
semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 * de system_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 *
However the processes do not have system_r role, as a result the type value of many context fail to set cause unconfined_r is not allowed to have that type.
ps auxZ | grep nano system_u:unconfined_r:unconfined_t:s0 de 544 0.0 0.3 115024 1568 pts/1 S+ 22:11 0:00 nano system_u:unconfined_r:unconfined_t:s0 root 611 0.0 0.1 112632 888 pts/0 S+ 22:14 0:00 grep --color=auto nano
Actually unconfined_r role is not allowed for the user --
seinfo -uuser_u -x user_u default level: s0 range: s0 roles: object_r user_r
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
You mean system_r cannot be assigned with login.
So it should work with systemd services. I'll try this out.
selinux@lists.fedoraproject.org