On Wed, Mar 4, 2020 at 9:46 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > This shows that your libselinux is still calling > security_compute_user() from get_ordered_context_list(). > In this case, because the source context is allowed to transition to > many other contexts, the result returned via > /sys/fs/selinux/user would exceed the maximum size supported by the > kernel interface (one page of contexts), > and therefore it fails. Then get_ordered_context_list() falls back to > the failsafe_context. > > If you update to libselinux git, you will stop using > security_compute_user() and hence /sys/fs/selinux/user entirely. BTW, Fedora ran into this limit some time ago and prune outbound transitions from init_t and perhaps other "unconfined" domains to workaround it. But getting rid of security_compute_user() and /sys/fs/selinux/user is the better solution.
