On Fri, Jun 24, 2011 at 8:50 AM, c.r.madhusudhanan@xxxxxxxxx <c.r.madhusudhanan@xxxxxxxxx> wrote: > [root@localhost utils]# ./getconlist user_u > user_u:user_r:consoletype_t > [root@localhost utils]# ./getconlist root > root:sysadm_r:sysadm_t > > [root@localhost utils]# ./getseuser meego > seuser: user_u, level (null) > Context 0 user_u:user_r:consoletype_t > [root@localhost utils]# ./getseuser root > seuser: root, level (null) > Context 0 root:sysadm_r:sysadm_t > (I dont know but the getseuser dint work until I changed the code > if (argc != 2). ) > My guess it is picking up the context from /etc/selinux/<context>/contexts/failsafe_context file. Does your failsafe_context file have string system_r:unconfined_t in it. For experimental purpose if you change it to system_r:initrc_t you will notice that your login session has context of root:system_r:initrc_t Now I don't know SELinux well enough to know if changing the failsafe_context file is correct thing to do. You could run getseuser through strace and see all the configuration files it examines. One thing you will notice is SELinux user libraries read & write various files in /selinux/ but I haven't found description of how the interface for /selinux/XXX is supposed to work > On Fri, Jun 24, 2011 at 3:09 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> >> On Fri, 2011-06-24 at 14:52 +0000, c.r.madhusudhanan@xxxxxxxxx wrote: >> > attached for your reference. >> >> What do the libselinux/utils say, e.g.: >> cd libselinux/utils >> ./getconlist user_u system_u:system_r:local_login_t >> ./getseuser root system_u:system_r:local_login_t >> >> -- >> Stephen Smalley >> National Security Agency >> > > -Sam -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
