Summary: | sec-policy/selinux-base: Wrong fcontext of "/root" | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | David Sardari <d> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | d, gentoo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
David Sardari
2023-04-30 10:22:51 UTC
Unless I'm missing something, I'm not able to reproduce this. --- # grep SELINUXTYPE= /etc/selinux/config SELINUXTYPE=mcs # emerge --info selinux-base [...] sec-policy/selinux-base-2.20221101-r4::gentoo was built with the following: USE="systemd ubac unconfined unknown-perms userland_GNU -doc" # matchpathcon /root /root root:object_r:user_home_dir_t:s0 # matchpathcon /home/concord /home/concord unconfined_u:object_r:user_home_dir_t:s0 # semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ user_u s0-s0 * concord unconfined_u s0-s0 * root root s0-s0 * --- I don't know what I do differently. In another test installation, I face the same problem. Removing "-e '/root/d' -e " fixes the issue: https://github.com/gentoo-mirror/gentoo/blob/009c813d340e60a982d7cb0dd286c51b67756a01/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild#L103 Then, the "seusers" files have the following content where the linux starting with "root" isn't missing: ❯ find / -xdev -name seusers | xargs head -n 99 ==> /etc/selinux/mcs/seusers <== root:root:s0-s0:c0.c1023 __default__:unconfined_u:s0-s0 ==> /var/lib/selinux/mcs/active/seusers <== root:root:s0-s0:c0.c1023 __default__:unconfined_u:s0-s0 I meant "... where the lines* starting...". @concord Apparently, the "sed" line doesn't get applied in your case. I have: ❯ semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0 * david staff_u s0-s0:c0.c1023 * root root s0-s0:c0.c1023 * .... using the fix by removing "-e '/root/d' -e ". |