Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: > On Wed, Mar 4, 2020 at 9:36 AM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >> >> On Wed, Mar 04, 2020 at 09:22:42AM -0500, Stephen Smalley wrote: >> > Are you using libselinux with or without the commit to stop using >> > security_compute_user()? >> > If still using security_compute_user(), what does compute_user >> > sys.id:sys.role:sys.isid:s0 wheel.id display? >> > If you don't have compute_user (it is in libselinux/utils but not sure >> > Fedora packages it), you can also just >> > strace -s 4096 -o trace.txt selinuxconlist wheel.id sys.id:sys.role:sys.isid:s0 >> > and see what it read back from /sys/fs/selinux/user. >> >> Thanks, it does not even seems to read /etc/selinux/dssp3-mcs/contexts/users/wheel.id... >> I am not if my libselinux has or has not security_compute_user(): >> >> # rpm -qa libselinux >> libselinux-3.0-3.fc32.x86_64 >> >> openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 >> write(3, "sys.id:sys.role:sys.isid:s0 wheel.id", 36) = -1 ERANGE (Numerical result out of range) > > This shows that your libselinux is still calling > security_compute_user() from get_ordered_context_list(). > In this case, because the source context is allowed to transition to > many other contexts, the result returned via > /sys/fs/selinux/user would exceed the maximum size supported by the > kernel interface (one page of contexts), > and therefore it fails. Then get_ordered_context_list() falls back to > the failsafe_context. > > If you update to libselinux git, you will stop using > security_compute_user() and hence /sys/fs/selinux/user entirely. FYI I've just built libselinux-3.0-4.fc32 [1] and libselinux-3.0-4.fc33 [2] with the security_compute_user() patch applied. [1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474378 [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=1474377 -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments