On Wed, Mar 4, 2020 at 9:47 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > Practically yes name-based type transitions but other than that it makes the experience much simpler if you have just one unconfined system domain. > I actually kind of got that idea from you when you mentioned the three domain model. Not sure that was me but whatever. > Its also used by pam_selinux env_params (which in turn is used by ssh for "ssh user/role/level@host") > The problem is that the default_type for ssh and sudo sessions may differ (ie. default_type is not really a default_type) Fair enough; originally it was only used by newrole and only if a type wasn't explicitly specified via -t. Maybe get_default_context_with_role(3) would be better since it can take into account the caller context. > > Probably needs to be converted to using selinux_check_access(). > > We hit that same isssue when we revisted mdp a while ago. Removing the env_params was a quick fix for that then. Well, the right fix is to use selinux_check_access().
