I used preupgrade to upgrade two systems from F7 (with updates) to rawhide. On both systems, my normal user (wwoods) unexpectedly ended up with the user_u SELinux context, rather than unconfined_u. I only noticed it because su appeared to be missing.
F7 users (as in RHEL5) have a default context of user_u:system_r:unconfined_t. F8 has unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023. So I guess the problem is that we've redefined the meaning of user_u.
A workaround for affected systems: semanage login -m -s unconfined_u -r SystemLow-SystemHigh __default__ should give users the default SELinux context used for new F9 installs.
Yes we need to convert user_u to unconfined_u. This is a blocker bug. Needs to be fixed. Will could you verify that selinux-policy-3.3.1-39.fc9 fixes the problem.
Does it need to be installed as part of the upgrade from F7? (That is, do I need to wait for it to land in rawhide to test the fix?)
You can test it by executing rm -rf /etc/selinux rpm -Uhv --oldpackage selinux-policy*f7 /* Whatever F7 policy was*/ Then update to F9 policy and check to see if you login in as unconfined_u semanage login -l | grep __default__
I think the fix is confirmed. I upgraded from F7 to F9 (where my user had user_u). Next I installed the old f7 policy packages and rebooted into rescue mode (to simulate the installer). I then upgraded the system to selinux-policy-3.3.1-40.fc9. It took a *long* time for %post to run, but now everything works fine.
Yep, confirmed the fix with an upgrade to today's rawhide.