1854471 – when staff_u user logs in, user pulseaudio service triggers { nnp_transition } denial

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1854471 - when staff_u user logs in, user pulseaudio service triggers { nnp_transition } denial

Summary: when staff_u user logs in, user pulseaudio service triggers { nnp_transition ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.4
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1778780
TreeView+	depends on / blocked

Reported:	2020-07-07 14:13 UTC by Milos Malik
Modified:	2021-10-07 11:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 14:57:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-07-07 14:13:02 UTC

Description of problem:
 * the user pulseaudio service is enabled by default
 * the SELinux denial is triggered during the start of user's GNOME environment
 * the user pulseaudio service seems to run without problems
 * but the SELINUX_ERR message is logged

Version-Release number of selected component (if applicable):
pulseaudio-13.99.1-1.el8.x86_64
pulseaudio-libs-13.99.1-1.el8.x86_64
pulseaudio-libs-glib2-13.99.1-1.el8.x86_64
pulseaudio-module-bluetooth-13.99.1-1.el8.x86_64
selinux-policy-3.14.3-48.el8.noarch
selinux-policy-devel-3.14.3-48.el8.noarch
selinux-policy-doc-3.14.3-48.el8.noarch
selinux-policy-targeted-3.14.3-48.el8.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-8.3 machine (targeted policy is active)
2. install all packages from the GNOME group
3. create a staff_u user, set password
4. log in as the user via GDM
5. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(07/07/2020 15:50:23.331:999) : proctitle=/usr/bin/pulseaudio --daemonize=no 
type=PATH msg=audit(07/07/2020 15:50:23.331:999) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8389099 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/07/2020 15:50:23.331:999) : item=0 name=/usr/bin/pulseaudio inode=413670 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/07/2020 15:50:23.331:999) : cwd=/home/staff-user 
type=EXECVE msg=audit(07/07/2020 15:50:23.331:999) : argc=2 a0=/usr/bin/pulseaudio a1=--daemonize=no 
type=SYSCALL msg=audit(07/07/2020 15:50:23.331:999) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x560ecdda8960 a1=0x560ecdd9c830 a2=0x560ecdd957f0 a3=0x560ecdd88610 items=2 ppid=10188 pid=10208 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=33 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(07/07/2020 15:50:23.331:999) : op=security_bounded_transition seresult=denied oldcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 newcontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 
type=AVC msg=audit(07/07/2020 15:50:23.331:999) : avc:  denied  { nnp_transition } for  pid=10208 comm=(lseaudio) scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tclass=process2 permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:
[staff-user@localhost ~]$ systemctl --user status pulseaudio
● pulseaudio.service - Sound Service
   Loaded: loaded (/usr/lib/systemd/user/pulseaudio.service; enabled; vendor pr>
   Active: active (running) since Tue 2020-07-07 15:50:23 CEST; 19min ago
 Main PID: 10208 (pulseaudio)
   CGroup: /user.slice/user-1000.slice/user/pulseaudio.service
           └─10208 /usr/bin/pulseaudio --daemonize=no
[staff-user@localhost ~]$ ps -efZ | grep pulseaudi[o]
staff_u:staff_r:staff_t:s0-s0:c0.c1023 staff-u+ 10208 10188  0 15:50 ?     00:00:00 /usr/bin/pulseaudio --daemonize=no

Comment 3 Milos Malik 2020-07-15 11:20:10 UTC

The user_u confined user is affected by the same issue:
----
type=PROCTITLE msg=audit(07/15/2020 13:15:15.759:715) : proctitle=/usr/bin/pulseaudio --daemonize=no 
type=PATH msg=audit(07/15/2020 13:15:15.759:715) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8620977 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/15/2020 13:15:15.759:715) : item=0 name=/usr/bin/pulseaudio inode=621720 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/15/2020 13:15:15.759:715) : cwd=/home/user-user 
type=EXECVE msg=audit(07/15/2020 13:15:15.759:715) : argc=2 a0=/usr/bin/pulseaudio a1=--daemonize=no 
type=SYSCALL msg=audit(07/15/2020 13:15:15.759:715) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55828183f330 a1=0x55828180bfa0 a2=0x55828180ae70 a3=0x55828184c460 items=2 ppid=38244 pid=38257 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=50 comm=pulseaudio exe=/usr/bin/pulseaudio subj=user_u:user_r:user_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(07/15/2020 13:15:15.759:715) : op=security_bounded_transition seresult=denied oldcontext=user_u:user_r:user_t:s0 newcontext=user_u:user_r:pulseaudio_t:s0 
type=AVC msg=audit(07/15/2020 13:15:15.759:715) : avc:  denied  { nnp_transition } for  pid=38257 comm=(lseaudio) scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:pulseaudio_t:s0 tclass=process2 permissive=0 
----

Can we fix both issues in this bug?

Comment 5 Zdenek Pytela 2021-01-08 18:33:05 UTC

Added with the following commit:
commit 1d38248f221978798c56763d7dbb6ed5390c25d3
Author: secureworkstation <60398077+secureworkstation.github.com>
Date:   Tue Jan 28 17:43:08 2020 +0100

    Allow to use nnp_transition in pulseaudio_role

diff --git a/pulseaudio.if b/pulseaudio.if
index 1e2fb9a0b..4508f98df 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -31,6 +31,7 @@ interface(`pulseaudio_role',`

        allow pulseaudio_t $2:process { signal signull };
        allow $2 pulseaudio_t:process { signal signull sigkill };
+       allow $2 pulseaudio_t:process2 nnp_transition;
        ps_process_pattern(pulseaudio_t, $2)

        allow pulseaudio_t $2:unix_stream_socket connectto;

Comment 13 errata-xmlrpc 2021-05-18 14:57:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639

Note You need to log in before you can comment on or make changes to this bug.