On Wed, Mar 04, 2020 at 08:29:40AM +0100, Dominick Grift wrote:
> The easiest way to explain this is as follows.
>
> Consider this scenario:
>
> # seinfo -xuwheel.id
>
> Users: 1
> user wheel.id roles wheel.role level s0 range s0;
>
> # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
> wheel.id:wheel.role:user.systemd.subj:s0
>
> Now consider this scenario:
>
> # echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil
>
> # seinfo -xuwheel.id
>
> Users: 1
> user wheel.id roles { wheel.role sys.role } level s0 range s0;
>
> Here is the issue:
>
> # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
> wheel.id:sys.role:sys.isid:s0
For completeness:
# cat /etc/selinux/dssp3-mcs/contexts/users/wheel.id
sys.role:login.subj:s0 wheel.role:user.subj:s0
sys.role:ssh.daemon.subj:s0 wheel.role:user.ssh.subj:s0
sys.role:sys.isid:s0 wheel.role:user.systemd.subj:s0
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
