First off sysadm_r:sysadm_t is only used by people trying to run in a strict policy mode. Most people use targeted and login as unconfined_t. If your system has you logging in as something other then unconfined_t then you might have a bug in your configuration. When using SELinux, you usually do not change your "context" manually. You usually write transition rules. A transition rules says something like, when unconfined_t domain executes a file labeled firefox_exec_t it will transition to firefox_t. So the user does not need to do something like runcon -t firefox_t /usr/bin/firefox. If you are using commands like runcon to change the context of applications, there are rules in policy that govern what labels you can transition to, and what roles you can change too. If you are running as unconfined_r, and you try to run an app with a role of sysadm_r, this might get denied. Finally only certain types can be assigned to a process, you are not allow to assign a file type to a process. So something like rucon -t firefox_exec_t /usr/bin/firefox Would be rejected since firefox_exec_t is a file type not a process type. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
