Bug 443569 - runcon user_u:system_r:unconfined_t:s0 <command> doesn't work in rawhide
runcon user_u:system_r:unconfined_t:s0 <command> doesn't work in rawhide
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-22 04:44 EDT by Ondrej Vasik
Modified: 2008-04-22 10:27 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-22 07:01:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ondrej Vasik 2008-04-22 04:44:44 EDT
Description of problem:
runcon user_u:system_r:unconfined_t:s0 true -j 
now returns 
runcon: invalid context: user_u:system_r:unconfined_t:s0: Invalid argument

That command is part of coreutils build test suite and it passed without
troubles in rawhide build of coreutils-6.10-21.fc9 (Fri, 18 Apr 2008). Command
works ok in F8 and older Fedoras with the rawhide coreutils runcon command,
worked in koji build few days ago. So I guess problem is in recent change in
area of selinux policies or 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.runcon user_u:system_r:unconfined_t:s0 true -j
Actual results:
runcon: invalid context: user_u:system_r:unconfined_t:s0: Invalid argument

Expected results:
No output, exit 0

Additional info:
mcstrans(d) running, SELinux permissive (but same with enforcing)

runcon -t unconfined_t true -j passes without an issue,
runcon -t unconfined_t -u user_u true -j
returns again error
runcon: invalid context: user_u:unconfined_r:unconfined_t:SystemLow-SystemHigh:
Invalid argument
Comment 1 Ondrej Vasik 2008-04-22 04:48:12 EDT
Sorry for missing end of the sentence in the Description of problem, it should
be "selinux policies or mcstrans(d). There is no recent change in runcon in
coreutils package." 
Comment 2 Daniel Walsh 2008-04-22 07:01:17 EDT
Change your code to

runcon -t unconfined_t -u unconfined_u true -j

user_u can not execute unconfined_t in rawhide.

Comment 3 Ondrej Vasik 2008-04-22 07:32:51 EDT
Ok, thanks for explanation, so it requires change in upstream coreutils
test-suite. I was just a bit surprised that it worked few days ago and now it
fails even in permissive mode. Will use runcon
unconfined_u:system_r:unconfined_t:s0 true -j. 
Comment 4 Ondrej Vasik 2008-04-22 07:39:03 EDT
(In fact the code in test suite is runcon $(id -Z) true -j  (and id -Z gets
context by getcon() ). So I think this is still a bit buggy behaviour since I
got the context user_u:system_r:unconfined_t:s0 from selinux/selinux.h getcon().
If user_u could not use unconfined_t, then it should not be returned as selinux
context of user. 
Comment 5 Daniel Walsh 2008-04-22 09:50:14 EDT
Sounds like somthing is a little fishy on your test machine.  I just tried the
above command on 


And it worked fine for me, on Rawhide.

I think you machine might have a screwed up user database.

If this was an upgrade from F7 you might need to execute.

semanage login -m -s unconfined_u __default__
Comment 6 Ondrej Vasik 2008-04-22 10:27:11 EDT
Thanks, that fixed my problem on test machine - seems to be that screwed up user
database was the cause. Sorry for bothering you.

Note You need to log in before you can comment on or make changes to this bug.