>
>> In my policy definitions I am defining a new user diags_u, type
>> diags_t and role diags_r, essentially following statements in
>> policy.conf (through macros etc)
>>
>> type diags_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
>> role diags_r types diags_t;
>> user diags_u roles { diags_r };
>>
>> Is that sufficient? fwiw, I have been able to transition to
>> diags_u:diags_r:diags_t context using the newrole command, when using
>> policy that contains above statements.
>
> And it works in enforcing? I would expect it to fail if you don't have
> a role allow:
>
> allow system_r diags_r;
>
I had that statement in my policy sorry I didn't include it original email.
I can transition to diags_u:diags_r:diags_t context via newrole,
although when using pam_selinux to login as user diags initial context
that is set is diags_u:system_r:initrc_t
Looks like my $P/contexts/default_context or $P/contexts/users/diag_u
file is wrong (?)
Thanks.
/Sam
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
