Re: SELINUX_ERR during update of libgnome

Stephen Smalley <sds@xxxxxxxxxxxxx> · Thu, 20 Dec 2007 14:38:29 -0500

On Thu, 2007-12-20 at 06:34 -0800, Tom London wrote:
> More from today's update, this time running permissive:
> 
> type=SELINUX_ERR msg=audit(1198161003.852:35): security_compute_sid:
> invalid context unconfined_u:unconfined_r:useradd_t:s0 for
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0
> tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1198161003.852:35): arch=40000003 syscall=11
> success=yes exit=0 a0=81c0ee8 a1=81c0248 a2=81bfbc8 a3=0 items=0
> ppid=4036 pid=4037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
> subj=unconfined_u:unconfined_r:useradd_t:s0 key=(null)
> type=USER_CHAUTHTOK msg=audit(1198161003.958:36): user pid=4037 uid=0
> auid=500 subj=unconfined_u:unconfined_r:useradd_t:s0 msg='op=adding
> user acct=gdm exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=?
> res=failed)'
> type=SELINUX_ERR msg=audit(1198161003.960:37): security_compute_sid:
> invalid context unconfined_u:unconfined_r:useradd_t:s0 for
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0
> tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1198161003.960:37): arch=40000003 syscall=11
> success=yes exit=0 a0=81c0058 a1=81bfda0 a2=81bfe38 a3=0 items=0
> ppid=4036 pid=4038 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="usermod" exe="/usr/sbin/usermod"
> subj=unconfined_u:unconfined_r:useradd_t:s0 key=(null)
> type=USER_CHAUTHTOK msg=audit(1198161003.993:38): user pid=4038 uid=0
> auid=500 subj=unconfined_u:unconfined_r:useradd_t:s0 msg='op=changing
> user shell acct=gdm exe="/usr/sbin/usermod" (hostname=?, addr=?,
> terminal=? res=success)'
> 
> from around here:
>   Updating  : gtk2-devel                   ####################### [19/62]
>   Updating  : gdm                          ####################### [20/62]
>   Updating  : ipsec-tools                  ####################### [21/62]
> 
> 
> I'd like to understand the issue here.
> 
> Is the error message saying that a transition to
> unconfined_u:unconfined_r:useradd_t:s0 from
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0 hasn't be allowed?

It means that the new context computed by a transition rule (e.g. a
type, role, and/or range transition rule) in the policy upon execution
of a program is not a valid context, i.e. the user isn't authorized for
the role or the role isn't authorized for the type or the user isn't
authorized for the range.

These kinds of errors were automatically turned into role ... types ...;
rules by the old audit2allow, pre-sepolgen.  That's a regression in the
new audit2allow/sepolgen.

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list