On Wed, Nov 18, 2015 at 5:09 PM, Mike Palmiotto
<mike.palmiotto@xxxxxxxxxxxxxxx> wrote:
> We're currently running into issues attempting to get a default
> context for a newly added SELinux user.
>
> The user has been added with semanage, and associated with a few
> roles. There are role declarations and allows (to and from the "scon"
> role) in place in the policy. We've also added entries to
> /etc/selinux/mls/contexts/{default_contexts,users/foo_u} to facilitate
> getting a default context for the SELinux user.
>
> The desire is to switch security labels based on the specified user's
> default context, like so:
> root:staff_r:staff_t:s0 -> foo_u:foo_r:foo_t:s0
>
> We're using a call to `get_default_context("foo_u",
> "root:staff_r:staff_t:s0", &new_context)` to get the default, but that
> doesn't seem to be finding working.
>
> In testing with a more verbose version of security_compute_user_raw,
> we noticed that the list of available contexts for foo_u are empty.
> This behavior has been noted for staff_u as well.
>
> Curious to know if there's something glaringly obvious that we're missing.
Other than this discussion (and previous discussions on using
security_compute_user), of course:
http://marc.info/?l=selinux&m=144707899910491&w=2
I'm still curious as to why the get_default_context mechanism is not
finding any reachable contexts.
--Mike
>
> Respectfully,
> Mike
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
