Bug 2124387
| Summary: | confined users staff_u are creating AVC errors when pulseaudio starts at GUI login | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Daniel Reynolds <dareynol> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | Petr Hybl <phybl> | |
| Priority: | medium | |||
| Version: | 8.6 | CC: | jafiala, lvrabec, mmalik, phybl | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-109.el8 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2132942 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 09:03:52 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Opened up two bugs. 1. one for pulseaudio -- this 2. another for dbus -- 2124388 Feel free to close this bug if two bug reports are not helpful. Should be resolved with using the gnome_create_home_config_dirs() interface. SELinux denial with full auditing details:
----
type=PROCTITLE msg=audit(10/03/2022 18:19:59.393:477) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=1 name=/home/test-staff/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=0 name=/home/test-staff/ inode=25197786 dev=fd:02 mode=dir,700 ouid=test-staff ogid=test-staff rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/03/2022 18:19:59.393:477) : cwd=/
type=SYSCALL msg=audit(10/03/2022 18:19:59.393:477) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55db1dc2a420 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=6693 pid=6748 auid=test-staff uid=test-staff gid=test-staff euid=test-staff suid=test-staff fsuid=test-staff egid=test-staff sgid=test-staff fsgid=test-staff tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/03/2022 18:19:59.393:477) : avc: denied { create } for pid=6748 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0
----
# rpm -qa | grep -e selinux-policy -e pulseaudio | sort
pulseaudio-14.0-4.el8.x86_64
pulseaudio-libs-14.0-4.el8.x86_64
pulseaudio-libs-glib2-14.0-4.el8.x86_64
pulseaudio-module-bluetooth-14.0-4.el8.x86_64
pulseaudio-module-x11-14.0-4.el8.x86_64
pulseaudio-utils-14.0-4.el8.x86_64
selinux-policy-3.14.3-108.el8.noarch
selinux-policy-devel-3.14.3-108.el8.noarch
selinux-policy-doc-3.14.3-108.el8.noarch
selinux-policy-minimum-3.14.3-108.el8.noarch
selinux-policy-mls-3.14.3-108.el8.noarch
selinux-policy-sandbox-3.14.3-108.el8.noarch
selinux-policy-targeted-3.14.3-108.el8.noarch
#
The same SELinux denial was caught in permissive mode:
----
type=PROCTITLE msg=audit(10/03/2022 18:25:20.628:574) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
type=PATH msg=audit(10/03/2022 18:25:20.628:574) : item=1 name=/home/test-staff/.config inode=8425822 dev=fd:02 mode=dir,700 ouid=test-staff ogid=test-staff rdev=00:00 obj=staff_u:object_r:config_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/03/2022 18:25:20.628:574) : item=0 name=/home/test-staff/ inode=25197786 dev=fd:02 mode=dir,700 ouid=test-staff ogid=test-staff rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/03/2022 18:25:20.628:574) : cwd=/
type=SYSCALL msg=audit(10/03/2022 18:25:20.628:574) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x5556b84f5e20 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=9724 pid=9740 auid=test-staff uid=test-staff gid=test-staff euid=test-staff suid=test-staff fsuid=test-staff egid=test-staff sgid=test-staff fsgid=test-staff tty=(none) ses=18 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/03/2022 18:25:20.628:574) : avc: denied { create } for pid=9740 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=1
----
To backport:
commit a120005379c8629aa7b6d174d7c763e4f84fedc4 (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date: Wed Oct 5 20:36:22 2022 +0200
Allow pulseaudio create gnome content (~/.config)
The same problem is reproducible on RHEL-9. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |
Description of problem: - Customer is migrating users to be SELinux confined users staff_u. - When logging into GUI, SELinux AVC errors are generated. Version-Release number of selected component (if applicable): - pulseaudio-14.0-3.el8_6.x86_64 - selinux-policy-3.14.3-95.el8_6.4.noarch - dbus-1.12.8-18.el8_6.1.x86_64 How reproducible: On first GUI login Steps to Reproduce: 1. Create test user sudo useradd --groups wheel --selinux-user staff_u test-staff sudo passwd test-staff XXXXX 2. Login to test-staff via GUI. 3. Show selinux AVC,AVC_USER errors sudo ausearch -m avc,user_avc Actual results: $ sudo ausearch -m avc,user_avc [snip] ---- time->Tue Sep 6 10:10:41 2022 type=PROCTITLE msg=audit(1662423041.867:247): proctitle=2F7573722F62696E2F70756C7365617564696F002D2D6461656D6F6E697A653D6E6F002D2D6C6F672D7461726765743D6A6F75726E616C type=SYSCALL msg=audit(1662423041.867:247): arch=c000003e syscall=83 success=no exit=-13 a0=55f276de08b0 a1=1c0 a2=ffffffff a3=0 items=0 ppid=3074 pid=3094 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=5 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1662423041.867:247): avc: denied { create } for pid=3094 comm="pulseaudio" name=".config" scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 ---- time->Tue Sep 6 10:10:42 2022 type=PROCTITLE msg=audit(1662423042.127:248): proctitle=2F7573722F62696E2F70756C7365617564696F002D2D6461656D6F6E697A653D6E6F002D2D6C6F672D7461726765743D6A6F75726E616C type=SYSCALL msg=audit(1662423042.127:248): arch=c000003e syscall=83 success=no exit=-13 a0=558fb61e28b0 a1=1c0 a2=ffffffff a3=0 items=0 ppid=3074 pid=3167 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=5 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1662423042.127:248): avc: denied { create } for pid=3167 comm="pulseaudio" name=".config" scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 ---- time->Tue Sep 6 10:10:42 2022 type=PROCTITLE msg=audit(1662423042.521:249): proctitle=2F7573722F62696E2F70756C7365617564696F002D2D6461656D6F6E697A653D6E6F002D2D6C6F672D7461726765743D6A6F75726E616C type=SYSCALL msg=audit(1662423042.521:249): arch=c000003e syscall=83 success=no exit=-13 a0=5636c2cbf8b0 a1=1c0 a2=ffffffff a3=0 items=0 ppid=3074 pid=3193 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=5 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1662423042.521:249): avc: denied { create } for pid=3193 comm="pulseaudio" name=".config" scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 ---- time->Tue Sep 6 10:10:43 2022 type=PROCTITLE msg=audit(1662423043.063:250): proctitle=2F7573722F62696E2F70756C7365617564696F002D2D6461656D6F6E697A653D6E6F002D2D6C6F672D7461726765743D6A6F75726E616C type=SYSCALL msg=audit(1662423043.063:250): arch=c000003e syscall=83 success=no exit=-13 a0=55cdf12168b0 a1=1c0 a2=ffffffff a3=0 items=0 ppid=3074 pid=3219 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=5 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1662423043.063:250): avc: denied { create } for pid=3219 comm="pulseaudio" name=".config" scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 ---- time->Tue Sep 6 10:10:43 2022 type=PROCTITLE msg=audit(1662423043.538:251): proctitle=2F7573722F62696E2F70756C7365617564696F002D2D6461656D6F6E697A653D6E6F002D2D6C6F672D7461726765743D6A6F75726E616C type=SYSCALL msg=audit(1662423043.538:251): arch=c000003e syscall=83 success=no exit=-13 a0=560f960e98b0 a1=1c0 a2=ffffffff a3=0 items=0 ppid=3074 pid=3243 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=5 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1662423043.538:251): avc: denied { create } for pid=3243 comm="pulseaudio" name=".config" scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 ---- [snip] Expected results: No pulseaudio related AVC errors. Additional info: