On 11/27/2014 03:14 PM, Sven Vermeulen wrote: > On Thu, Nov 27, 2014 at 6:38 PM, Dominick Grift <dac.override@xxxxxxxxx> wrote: >> On Thu, Nov 27, 2014 at 01:23:13PM +0100, Sven Vermeulen wrote: >>> >>> So in this case, object_r is assigned (during migration) to system_u, >>> unconfined_u and user_u, but not to root, staff_u, sysadm_u and >>> testrole_u. >>> >>> Those roles still work though. Is showing object_r in the "SELinux >>> Roles" part cosmetic perhaps? >>> >> >> Strange ... as far as i know object_r needs to be associated with everyone >> >> Is your output of seinfo -xu consistent with that of semanage user (as far as roles associated with identities is concerned)? > > It is not. seinfo -xu shows object_r to be associated with *all* roles > (as you suggested) whereas the "semanage user -l" output shows it > missing with a few of them. > > This is the only inconsistency though - the rest of the output does match. > First of all, sorry about the delayed response. I agree that this inconsistency is a problem. It looks like the problem is in CIL. Dominick is right in that object_r is implicitly associated with all roles, but CIL sets a bit to make the user/object_r association, even though it is unnecessary. This appears to have caused the behavior change in some of the tools. We just need to special case object_r to not make the association and rely on the implied association existing. This has been fixed in CIL [1] and will be part of the next release candidate. - Steve [1] https://github.com/SELinuxProject/cil/commit/08520e91db86bdbb8ce393afa35c1465bdc7f63b _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
