Re: (How to ) Change the context of user

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

You could add a policy module with transition rule that states

=================================

policy_module(mydocker,1.0)

gen_require(`

type unconfined_t;
role unconfined_r, system_r;
type docker_exec_t;
')

docker_domtrans(unconfined_t)
role_transition unconfined_r docker_exec_t system_r;

=================================

This will get you running docker as

unconfined_u:system_r:docker_t:s0-s0:c0.c1023

Which should get you most of the way there.

On 08/20/2016 10:43 AM, Kashif ali wrote:

i want to change it because of docker_t label of docker daemon when root user run in the following context 

"unconfined_u:unconfined_r:unconfined_t:", when i run docker daemon on network with the following command 
=> docker daemon -H localhost:2376 --selinux-enabled & 
then docker daemon have unconfined_t label on it and as it is described unconfined domain have access to all process in the system and i have read unconfined_t have no domain transition in selinux so 

* but when i run root user in the following context "system_u:system_r:initrc_t:", and when i run docker daemon in this context then docker daemon have docker_t label on it

so is there anyway to solve this problem or anyway that should assign correct docker_t label on docker daemon
 

On Sat, Aug 20, 2016 at 10:12 AM, Jason Zaman <jason@xxxxxxxxxxxxx> wrote:

On 20 Aug 2016 08:56, "Kashif ali" <kashif.ali.9498@xxxxxxxxx> wrote:
>
> Hi
>   * I'm facing a problem while changing the context of root user in selinux, Selinux is in enforced and targeted policy. By default Selinux assign user =>"unconfined_u:unconfiend_r:unconfined_t:" 
> context for the user i have changed the selinux mapped root user "unconifined_u" into "system_u" for root user with the help of command 
> =>"semanage login -a -s system_u root" 
> after executing this command the root user context is changed into "system_u:unconfined_r:unconfined_t:".

Don't do this. System_u is not able to login. System_u is for daemon's. Root is in sysadm_r or unconfined_r usually.

> * Now i have changed the root user role and domain type so i execute this command 
> =>"newrole -r system_r -t initrc_t:" 
> and change the root user context into "system_u:system_r:initrc_t:" but this change is temporary after rebooting the system the context of root user is changed back to "system_u:unconfined_r:unconfined_t:"
>
> * what i need is to change the root user context permanently into "system_u:system_r:initrc_t:".

Why permanently? This will probably break a lot of things. What are you trying to accomplish with making it permanent?
If you need to run a command as initrc_t, use run_init in front. Eg:

# run_init /etc/init.d/sshd restart

This will first switch to system_u:system_r:initrc_t and then run ssh which will automatically transition to sshd_t

-- Jason

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.