Description of problem: On my freshly setup MLS system, I can see that logging in as root through ssh ends up getting "staff_t" context: ~~~ -bash: /root/.bash_profile: Permission denied [root@vm-mls9 ~]# id -Z root:staff_r:staff_t:s0-s15:c0.c1023 ~~~ Version-Release number of selected component (if applicable): selinux-policy-mls-38.1.11-2.el9_2.3.noarch How reproducible: Always Additional info: Our doc [1] states the context should be sysadm_t (hence we cannot login without the boolean) but apparently there is some bug here. ~~~ [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/using-multi-level-security-mls_using-selinux#switching-the-selinux-policy-to-mls_using-multi-level-security-mls Important note: [...] Also note that in MLS, SSH logins as the root user mapped to the sysadm_r SELinux role differ from logging in as root in staff_r. ~~~
The root cause is the below line in /etc/selinux/mls/contexts/users/root: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # # Uncomment if you want to automatically login as sysadm_r # #system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- I think this is non-sense because logging in as root with default staff_t context makes the root user become unusable. Anyway, either the documentation of this line has to be modified.