On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: > > Are you using libselinux with or without the commit to stop using > > security_compute_user()? > > If still using security_compute_user(), what does compute_user > > sys.id:sys.role:sys.isid:s0 wheel.id display? > > If you don't have compute_user (it is in libselinux/utils but not sure > > Fedora packages it), you can also just > > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 > > and see what it read back from /sys/fs/selinux/user. > > Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... > I am not if my libselinux has or has not security_compute_user(): > > # rpm -qa libselinux > libselinux-3.0-3.fc32.x86_64 > > openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 > write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) This shows that your libselinux is still calling security_compute_user() from get_ordered_context_list(). In this case, because the source context is allowed to transition to many other contexts, the result returned via /sys/fs/selinux/user would exceed the maximum size supported by the kernel interface (one page of contexts), and therefore it fails. Then get_ordered_context_list() falls back to the failsafe_context. If you update to libselinux git, you will stop using security_compute_user() and hence /sys/fs/selinux/user entirely.
