On Wed, Mar 4, 2020 at 2:44 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
>
> On Wed, Mar 04, 2020 at 08:29:40AM +0100, Dominick Grift wrote:
> > The easiest way to explain this is as follows.
> >
> > Consider this scenario:
> >
> > # seinfo -xuwheel.id
> >
> > Users: 1
> > user wheel.id roles wheel.role level s0 range s0;
> >
> > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
> > wheel.id:wheel.role:user.systemd.subj:s0
> >
> > Now consider this scenario:
> >
> > # echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil
> >
> > # seinfo -xuwheel.id
> >
> > Users: 1
> > user wheel.id roles { wheel.role sys.role } level s0 range s0;
> >
> > Here is the issue:
> >
> > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
> > wheel.id:sys.role:sys.isid:s0
>
> For completeness:
>
> # cat /etc/selinux/dssp3-mcs/contexts/users/wheel.id
> sys.role:login.subj:s0 wheel.role:user.subj:s0
> sys.role:ssh.daemon.subj:s0 wheel.role:user.ssh.subj:s0
> sys.role:sys.isid:s0 wheel.role:user.systemd.subj:s0
Are you using libselinux with or without the commit to stop using
security_compute_user()?
If still using security_compute_user(), what does compute_user
sys.id:sys.role:sys.isid:s0 wheel.id display?
If you don't have compute_user (it is in libselinux/utils but not sure
Fedora packages it), you can also just
strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0
and see what it read back from /sys/fs/selinux/user.
