libselinux: *with_level functions do not actually apply the provided level

[FilippoBonazziSUSE]

Hi,

in the context of bsc#1259191 I have been looking into the *with_level functions of libselinux:

int get_ordered_context_list_with_level(const char *user, const char *level, const char *fromcon, char ***list);
int get_default_context_with_level(const char *user, const char *level, const char *fromcon, char **newcon);

The function names and the man page seem to suggest that these functions should apply the provided level parameter to the context. However, in my testing with libselinux-3.10, this does not happen: both functions return the context without an applied level.

Simple example:

    ret = get_default_context_with_level(seuser, level, NULL, &newcon_with_level);
    ret = get_default_context(seuser, NULL, &newcon_without_level);

newcon_with_level and newcon_without_level should be different, but they are identical.

Am I misunderstanding something?

[bachradsusi]

This explanation is based on Fedora:

The fromcon parameter may be NULL to indicate that the current context should be used.

I guess it would be unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 .
Lets say seuser is staff_u. Looking into /etc/selinux/targeted/contexts/users/staff_u there's no line which start with unconfined_r:unconfined_t:s0 i.e. no default context defined when you transition from unconfined_r:unconfined_t:s0. Also /etc/selinux/targeted/contexts/default_contexts has no such line and therefore /etc/selinux/targeted/contexts/failsafe_context is used as fallback, but this context is used as is, no level substitution.

If you used fromcon where the default context is defined, e.g. system_u:system_r:sshd_t:s0-s0:c0.c1023 you would get different results:

[root@default-0 ~]# grep system_r:sshd_t /etc/selinux/targeted/contexts/users/staff_u 
system_r:sshd_t:s0              staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
[root@default-0 ~]# python3
>>> import selinux
>>> selinux.get_default_context_with_level("staff_u", "s0:c100", "system_u:system_r:sshd_t:s0:c0.c1023")
[0, 'staff_u:staff_r:staff_t:s0:c100']
>>> selinux.get_default_context("staff_u", "system_u:system_r:sshd_t:s0:c0.c1023")
[0, 'staff_u:staff_r:staff_t:s0:c0.c1023']