On Wed, Jan 13, 2021 at 1:09 AM Ashish Mishra <ashishm@xxxxxxxxxx> wrote: > > Hi Members , > > Any input as to why we have "system_u:object_r " in every context > for initramfs (temfs file system) > I can see that the type section of selinux-context is proper > > -But the user & role seems to be "system_u:object_r " for every file in > /etc/selinux/refpolicy/contexts/files/file_contexts > > Any pointers here or if i am missing any aspect here > > Thanks , > Ashish The short answer is that it is tradition. system_u is used for system files because no user creates or owns them. unconfined_u is used for home directories because users are run in unconfined_u. When a file is created it will inherit the user label of the process creating it. object_r is used because roles are meaningful for domains, but not so much for objects. The type is usually the most important part. SELinux is flexible enough that policy could be written (through the use of constraint rules) that would make the user and role fields more important in access control and labeling decisions, but type enforcement is usually sufficient. Jim
