Bug 2132942
| Summary: | confined users staff_u generate SELinux denials when pulseaudio starts at GUI login | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.1 | CC: | dareynol, lvrabec, mmalik, zpytela |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.1.3-1.el9 | Doc Type: | Bug Fix |
| Doc Text: |
Cause:
Policy does not allow some permissions needed when a confined user logs in using GUI.
Consequence:
AVC denials are audited and some service do not work properly.
Fix:
Allow rules were added to selinux-policy for confined users to dbus chat with rhsmcertd and to allow create content in ~/.config.
Result:
Users can log in without a reported denial.
|
Story Points: | --- |
| Clone Of: | 2124387 | Environment: | |
| Last Closed: | 2023-05-09 08:16:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Milos Malik
2022-10-07 09:24:37 UTC
Actual results (permissive mode):
----
type=PROCTITLE msg=audit(10/07/2022 11:36:58.747:1744) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
type=PATH msg=audit(10/07/2022 11:36:58.747:1744) : item=1 name=/home/staff-user/.config inode=25945527 dev=fd:02 mode=dir,700 ouid=staff-user ogid=staff-user rdev=00:00 obj=staff_u:object_r:config_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/07/2022 11:36:58.747:1744) : item=0 name=/home/staff-user/ inode=564098 dev=fd:02 mode=dir,700 ouid=staff-user ogid=staff-user rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/07/2022 11:36:58.747:1744) : cwd=/
type=SYSCALL msg=audit(10/07/2022 11:36:58.747:1744) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x556b10355390 a1=0700 a2=0xffffffff a3=0x7f44500ff3e0 items=2 ppid=20514 pid=20536 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/07/2022 11:36:58.747:1744) : avc: denied { create } for pid=20536 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(10/07/2022 11:36:58.756:1745) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
type=PATH msg=audit(10/07/2022 11:36:58.756:1745) : item=0 name=/run/user/1000/bus inode=40 dev=00:3c mode=socket,666 ouid=staff-user ogid=staff-user rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(10/07/2022 11:36:58.756:1745) : cwd=/
type=SOCKADDR msg=audit(10/07/2022 11:36:58.756:1745) : saddr={ saddr_fam=local path=/run/user/1000/bus }
type=SYSCALL msg=audit(10/07/2022 11:36:58.756:1745) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xf a1=0x7ffd70fd9ca0 a2=0x14 a3=0x556b1037a530 items=1 ppid=20514 pid=20536 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/07/2022 11:36:58.756:1745) : avc: denied { write } for pid=20536 comm=pulseaudio name=bus dev="tmpfs" ino=40 scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1
----
[staff-user@localhost ~]$ systemctl --user status pulseaudio.service --no-pager
● pulseaudio.service - Sound Service
Loaded: loaded (/usr/lib/systemd/user/pulseaudio.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-10-07 11:36:58 CEST; 3min 17s ago
TriggeredBy: ● pulseaudio.socket
Main PID: 20536 (pulseaudio)
Tasks: 3 (limit: 11036)
Memory: 7.4M
CPU: 102ms
CGroup: /user.slice/user-1000.slice/user/session.slice/pulseaudio.service
└─20536 /usr/bin/pulseaudio --daemonize=no --log-target=journal
Oct 07 11:36:58 localhost.localdomain systemd[20514]: Starting Sound Service...
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Disabling timer-based scheduling because running inside a VM.
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Disabling timer-based scheduling because running inside a VM.
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to open cookie file '/home/staff-user/.config/pulse/cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to load authentication key '/home/staff-user/.config/pulse/cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to open cookie file '/home/staff-user/.pulse-cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to load authentication key '/home/staff-user/.pulse-cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: stat('/etc/pulse/default.pa.d'): No such file or directory
Oct 07 11:36:58 localhost.localdomain systemd[20514]: Started Sound Service.
Oct 07 11:37:23 localhost.localdomain pulseaudio[20536]: GetManagedObjects() failed: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: …n was broken.
Hint: Some lines were ellipsized, use -l to show in full.
[staff-user@localhost ~]$
commit a120005379c8629aa7b6d174d7c763e4f84fedc4
Author: Zdenek Pytela <zpytela>
Date: Wed Oct 5 20:36:22 2022 +0200
Allow pulseaudio create gnome content (~/.config)
Addresses the following AVC denial:
type=PROCTITLE msg=audit(10/03/2022 18:19:59.393:477) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=1 name=/home/username/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=0 name=/home/username/ inode=25197786 dev=fd:02 mode=dir,700 ouid=username ogid=username rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(10/03/2022 18:19:59.393:477) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55db1dc2a420 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=6693 pid=6748 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/03/2022 18:19:59.393:477) : avc: denied { create } for pid=6748 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2483 |