Getting in the right context
With all the information about SELinux users and roles, we still haven’t touched how we get our context when we log in, or how we can change the type in the context.
Context switching during authentication
Traditionally, we log in to a Linux system through either a login process (triggered through a getty process) in case of a command-line login, a certain service (for example, the OpenSSH daemon), or through a graphical login manager (xdm, kdm, gdm, slim, and so on).
These services are responsible for switching our effective user ID (upon successful authentication of course) so that we are not logged on to the system as the root user. In case of SELinux systems, these processes also need to switch the SELinux user (and role) accordingly.
In theory, all these applications can be made fully SELinux aware, consulting the information we entered through semanage user and semanage login. But instead of converting all these applications, the developers decided to take...
