On Wed, Mar 4, 2020 at 2:44 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > On Wed, Mar 04, 2020 at 08:29:40AM +0100, Dominick Grift wrote: > > The easiest way to explain this is as follows. > > > > Consider this scenario: > > > > # seinfo -xuwheel.id > > > > Users: 1 > > user wheel.id roles wheel.role level s0 range s0; > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > wheel.id:wheel.role:user.systemd.subj:s0 > > > > Now consider this scenario: > > > > # echo '(userrole wheel.id sys.role)' > hack.cil && semodule -i hack.cil > > > > # seinfo -xuwheel.id > > > > Users: 1 > > user wheel.id roles { wheel.role sys.role } level s0 range s0; > > > > Here is the issue: > > > > # selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > wheel.id:sys.role:sys.isid:s0 > > For completeness: > > # cat /etc/selinux/dssp3-mcs/contexts/users/wheel.id > sys.role:login.subj:s0 wheel.role:user.subj:s0 > sys.role:ssh.daemon.subj:s0 wheel.role:user.ssh.subj:s0 > sys.role:sys.isid:s0 wheel.role:user.systemd.subj:s0 Are you using libselinux with or without the commit to stop using security_compute_user()? If still using security_compute_user(), what does compute_user sys.id:sys.role:sys.isid:s0 wheel.id display? If you don't have compute_user (it is in libselinux/utils but not sure Fedora packages it), you can also just strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 and see what it read back from /sys/fs/selinux/user.