# SELinux default user context

## vnd

Hi everyone,

I have a little problem with SELinux setup and more precisely it's about setting the right default context for system user. The story is short, I've tried to setup SELinux strict policy but because of lack of knowledge and time to write my own policies I've decided to switch to targeted one. I've changed policy type in /etc/selinux/config file and I've tried to relabel the entire filesystem using rlpkg. When I rebooted the system during logging in I've noticed message:

```
Would you like to enter security context? [N]
```

Using the default option I've end up with default context system_u:system_r:local_login_t and was unable to merge anything or change the role to sysadm_r. Next I've tried to reemerge all of the packages including: sys-libs/pam, sys-auth/pambase, sys-apps/checkpolicy, sys-apps/policycoreutils, sec-policy/selinux-base-policy and more... I've also tried to clear security context of all files and relabel the filesystem once again with no effect. The only difference was that I was able to login with context system_r:system_r:kernel_t which gave me nothing. As I remember when I've completed my previous setup of SELinux targeted system the root account has the context of unconfined_u:unconfined_r:unconfined_t and that is what I want to achieve. My /etc/pam.d/system-login is:

```
auth      required   pam_tally2.so onerr=succeed

auth      required   pam_shells.so

auth      required   pam_nologin.so

auth      include      system-auth

account      required   pam_access.so

account      required   pam_nologin.so

account      include      system-auth

account      required   pam_tally2.so onerr=succeed

password   include      system-auth

session      optional   pam_loginuid.so

session      required   pam_selinux.so close

session      required   pam_env.so

session      optional   pam_lastlog.so

session      required   pam_selinux.so multiple open

session      optional   pam_motd.so motd=/etc/motd

session      optional   pam_mail.so
```

in make.conf there is also an entry: POLICY_TYPES="targeted". The profile I use is hardened/linux/amd64/no-multilib/selinux. The system has no more than two days so a lot of things are set to default. Any help would be highly appreciated.

----------

## vnd

Ok... the solution was easy but maybe it will be useful for someone else: targeted policy requires sec-policy/selinux-unconfined module to work proper. Strange, it hasn't been added as a dependency to sec-policy/selinux-base-policy when switching to targeted mode.

----------

