Description of problem: runcon user_u:system_r:unconfined_t:s0 true -j now returns runcon: invalid context: user_u:system_r:unconfined_t:s0: Invalid argument That command is part of coreutils build test suite and it passed without troubles in rawhide build of coreutils-6.10-21.fc9 (Fri, 18 Apr 2008). Command works ok in F8 and older Fedoras with the rawhide coreutils runcon command, worked in koji build few days ago. So I guess problem is in recent change in area of selinux policies or Version-Release number of selected component (if applicable): policycoreutils-2.0.46-4.fc9.x86_64 coreutils-6.10-18.fc9.x86_64 How reproducible: Always Steps to Reproduce: 1.runcon user_u:system_r:unconfined_t:s0 true -j Actual results: runcon: invalid context: user_u:system_r:unconfined_t:s0: Invalid argument Expected results: No output, exit 0 Additional info: mcstrans(d) running, SELinux permissive (but same with enforcing) runcon -t unconfined_t true -j passes without an issue, but runcon -t unconfined_t -u user_u true -j returns again error runcon: invalid context: user_u:unconfined_r:unconfined_t:SystemLow-SystemHigh: Invalid argument
Sorry for missing end of the sentence in the Description of problem, it should be "selinux policies or mcstrans(d). There is no recent change in runcon in coreutils package."
Change your code to runcon -t unconfined_t -u unconfined_u true -j user_u can not execute unconfined_t in rawhide.
Ok, thanks for explanation, so it requires change in upstream coreutils test-suite. I was just a bit surprised that it worked few days ago and now it fails even in permissive mode. Will use runcon unconfined_u:system_r:unconfined_t:s0 true -j.
(In fact the code in test suite is runcon $(id -Z) true -j (and id -Z gets context by getcon() ). So I think this is still a bit buggy behaviour since I got the context user_u:system_r:unconfined_t:s0 from selinux/selinux.h getcon(). If user_u could not use unconfined_t, then it should not be returned as selinux context of user.
Sounds like somthing is a little fishy on your test machine. I just tried the above command on unconfined_u:unconfined_r:unconfined_t:s0 And it worked fine for me, on Rawhide. I think you machine might have a screwed up user database. If this was an upgrade from F7 you might need to execute. semanage login -m -s unconfined_u __default__
Thanks, that fixed my problem on test machine - seems to be that screwed up user database was the cause. Sorry for bothering you.