Ashish Mishra <ashishm@xxxxxxxxxx> writes: > Hi Group members , > > I am trying to get SELINUX being added in our custom BSP . > > I am able to reach till i have selinux-refpolicy installed on target & > the getenforce / setenforce commands are working. > I can verify them using log messages in /var/log/audit.log > > Below is the observation ( problem ) which i am observing w.r.t context type of > selinux . > a) File created as root has "system_u:object_r:root_t" "root" is a hybrid user (system processes are often associated with root identity as well a the root login user) When a system process associated with "system_u" creates a "file" in a directory with type root_t (and there is no type transition rule telling selinux to transition to default_t) then the file ends up with system_u:object_r:root_t" if the file was created by a "real" login user, then the label of the file indicates that the context associated with the root login user was wrong because generally the root login user shouldnt be associated with "system_u" > b) File created as testuser also has "system_u:object_r:root_t" provided that the "testuser" identity is not a identity for system services, than this indicates that both the processes creating the file as well as the target directory of the file are mislabeled. ensure that your login users are associated with the expected contexts, and also ensure that your filesystems are labeled according to the policy > but i was expecting something "unconfined_u:object_r:user_home_t" > > Can members please provide any input as to what might be the cause of this > or any pointers to debug the same. > > I am using TEMPFS as a file system . > > Thanks , > Ashish -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
