Many thanks for your help. I am now able to get the correct user type (user_t).
The problem I had was in the kernel, which was wrongly configured to use policydb version 19.
When I changed to kernel config, I am able to login in the correct context.
Attached is the getconlist, getseuser for your reference, before and after the kernel changes.
PS: this works for login (local_login_t), and for uxlaunch, as you said, I am planning to have a policy transition.
Regards,
Madhu
On Fri, Jul 1, 2011 at 9:23 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2011-06-24 at 15:50 +0000, c.r.madhusudhanan@xxxxxxxxx wrote:You aren't invoking them correctly - you need to pass the security
> [root@localhost utils]# ./getconlist user_u
> user_u:user_r:consoletype_t
> [root@localhost utils]# ./getconlist root
> root:sysadm_r:sysadm_t
>
> [root@localhost utils]# ./getseuser meego
> seuser: user_u, level (null)
> Context 0 user_u:user_r:consoletype_t
> [root@localhost utils]# ./getseuser root
> seuser: root, level (null)
> Context 0 root:sysadm_r:sysadm_t
> (I dont know but the getseuser dint work until I changed the code
> if (argc != 2). )
context of the login process as the second argument, as I showed.
For example, on Fedora, we have:
$ ./getconlist user_u system_u:system_r:local_login_t:s0
user_u:user_r:user_t:s0
$ ./getseuser root system_u:system_r:local_login_t:s0
$ ./getseuser root system_u:system_r:local_login_t:s0
seuser: unconfined_u, level s0-s0:c0.c1023
Context 0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Omit the :s0 if you don't have MLS enabled in your policy.
--
Stephen Smalley
National Security Agency
Wrong kernel option was: ----------------------- CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19 Before ------ [root@localhost utils]# ./getconlist root system_u:system_r:local_login_t root:staff_r:chkpwd_t root:staff_r:updpwd_t root:sysadm_r:chkpwd_t root:sysadm_r:updpwd_t [root@localhost utils]# ./getconlist user_u system_u:system_r:local_login_t user_u:user_r:chkpwd_t user_u:user_r:updpwd_t [root@localhost utils]# ./getseuser root system_u:system_r:local_login_t seuser: root, level (null) Context 0 root:staff_r:chkpwd_t Context 1 root:staff_r:updpwd_t Context 2 root:sysadm_r:chkpwd_t Context 3 root:sysadm_r:updpwd_t [root@localhost utils]# ./getseuser user_u system_u:system_r:local_login_t seuser: user_u, level (null) Context 0 user_u:user_r:chkpwd_t Context 1 user_u:user_r:updpwd_t [root@localhost utils]# After ----- [root@localhost utils]# ./getconlist root system_u:system_r:local_login_t root:sysadm_r:sysadm_t root:staff_r:staff_t [root@localhost utils]# ./getconlist user_u system_u:system_r:local_login_t user_u:user_r:user_t [root@localhost utils]# ./getseuser root system_u:system_r:local_login_t seuser: root, level (null) Context 0 root:sysadm_r:sysadm_t Context 1 root:staff_r:staff_t [root@localhost utils]# ./getseuser user_u system_u:system_r:local_login_t seuser: user_u, level (null) Context 0 user_u:user_r:user_t
