Writing policy: default_contexts etc.

[Ole Kliemann <ole@plastictree.net>]

[-- Attachment #1: Type: text/plain, Size: 1733 bytes --]

I'm in the process of writing a simple policy from scratch.  
Everything works as expected, except for logins.

I have a user named tfm on my system.
/etc/selinux/mypolicy/seusers looks like:
    
    tfm:tfm_u
    root:system_u

In my policy I have a user tfm_u with roles tfm_r. tfm_r has 
several types, for example xserver_tfm_t. I also have a user 
system_u with role unconfined_r and type unconfined_t.

Using runcon I can transition from 
system_u:unconfined_r:unconfined_t to tfm_u:tfm_r:xserver_tfm_t. 

I figured I have to tell the login programs which context to 
choose per default. My login programs run as 
system_u:unconfined_r:unconfined_t, so I added to 
/etc/selinux/mypolicy/contexts/default_contexts the line

    unconfined_r:unconfined_t   tfm_r:xserver_tfm_t

I also have in /etc/selinux/mypolicy/contexts/default_type

    unconfined_r:unconfined_t
    tfm_r:xserver_tfm_t

I can login as root and have context 
system_u:unconfined_r:unconfined_t.

I cannot login as tfm, because:

pam_selinux(login:session): Unable to get valid context for tfm


Apparently I am missing something, just can't find what.

In general I find it difficult to find comprehensive 
documentation about the userland tools' interaction with the 
policy conifguration. On top of that error messages are often 
uninformative. (Random example: when the file 
/etc/selinux/mypolicy/contexts/files/file_contexts is missing, 
useradd without any output exits with return code 12. Which says 
'cannot create homedir' but contains no clue about the reason for 
the failure.)

So any hint on the above problem or hints on good places I could 
read up on the topic would be highly appreciated!

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]