Bug 757046

Summary: Create a new Linux user mapped in SELinux
Product: [Fedora] Fedora Reporter: Alessandro Lorenzi <alessandro.lorenzi>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-29 21:09:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alessandro Lorenzi 2011-11-25 10:55:59 UTC 
Description of problem:
The new user is mapped with unconfined_u even if i specify -Z 

Version-Release number of selected component (if applicable):


How reproducible:
create a new user with -Z argument

Steps to Reproduce:
$ useradd -Z user_u foouser
$ su - foouser
$ id -Z
$ semanage login -l
[...]
foouser                  user_u                    s0                       
{this is okkey}

  
Actual results:
$ su - foouser
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
$ su - foouser
# id -Z
user_u:unconfined_r:unconfined_t:s0

Additional info:
--
Comment 1 Daniel Walsh 2011-11-29 03:26:46 UTC 
su does not change the selinux label, you have to go through a login program like sshd or login.

If you login that way, do you see the correct context?
Comment 2 Alessandro Lorenzi 2011-11-29 08:10:01 UTC 
$ id -Z
user_u:user_r:user_t:s0

with ssh it works... and also loggin in. 

I'm wondering why it doesn't work with "su - "


thanks!
Alessandro
Comment 3 Daniel Walsh 2011-11-29 21:09:34 UTC 
Be cause we did not want it to work under su.  We do not have pam_selinux as part of the su pam module.  The reason for this is random system apps and initrc_t script run su, and it can get SELinux confused.  

The only time we set the user context is on initial login to the system.  su and sudo by default do not change the type and role.  sudo does have the ability to change the role if you set it up.