Hide Forgot
Description of problem: The new user is mapped with unconfined_u even if i specify -Z Version-Release number of selected component (if applicable): How reproducible: create a new user with -Z argument Steps to Reproduce: $ useradd -Z user_u foouser $ su - foouser $ id -Z $ semanage login -l [...] foouser user_u s0 {this is okkey} Actual results: $ su - foouser # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Expected results: $ su - foouser # id -Z user_u:unconfined_r:unconfined_t:s0 Additional info: --
su does not change the selinux label, you have to go through a login program like sshd or login. If you login that way, do you see the correct context?
$ id -Z user_u:user_r:user_t:s0 with ssh it works... and also loggin in. I'm wondering why it doesn't work with "su - " thanks! Alessandro
Be cause we did not want it to work under su. We do not have pam_selinux as part of the su pam module. The reason for this is random system apps and initrc_t script run su, and it can get SELinux confused. The only time we set the user context is on initial login to the system. su and sudo by default do not change the type and role. sudo does have the ability to change the role if you set it up.