RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2132942 - confined users staff_u generate SELinux denials when pulseaudio starts at GUI login
Summary: confined users staff_u generate SELinux denials when pulseaudio starts at GUI...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Nikola Knazekova
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-07 09:24 UTC by Milos Malik
Modified: 2023-05-09 10:20 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-38.1.3-1.el9
Doc Type: Bug Fix
Doc Text:
Cause: Policy does not allow some permissions needed when a confined user logs in using GUI. Consequence: AVC denials are audited and some service do not work properly. Fix: Allow rules were added to selinux-policy for confined users to dbus chat with rhsmcertd and to allow create content in ~/.config. Result: Users can log in without a reported denial.
Clone Of: 2124387
Environment:
Last Closed: 2023-05-09 08:16:52 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-135904 0 None None None 2022-10-07 10:01:39 UTC
Red Hat Product Errata RHBA-2023:2483 0 None None None 2023-05-09 08:17:08 UTC

Description Milos Malik 2022-10-07 09:24:37 UTC 
+++ This bug was initially created as a clone of Bug #2124387 +++

Description of problem:
When a SELinux confined user staff_u logs into GUI, SELinux AVC errors are generated.

Version-Release number of selected component (if applicable):
pulseaudio-15.0-2.el9.x86_64
pulseaudio-libs-15.0-2.el9.x86_64
pulseaudio-libs-glib2-15.0-2.el9.x86_64
pulseaudio-module-bluetooth-15.0-2.el9.x86_64
pulseaudio-module-x11-15.0-2.el9.x86_64
pulseaudio-utils-15.0-2.el9.x86_64
selinux-policy-34.1.43-1.el9.noarch
selinux-policy-devel-34.1.43-1.el9.noarch
selinux-policy-doc-34.1.43-1.el9.noarch
selinux-policy-mls-34.1.43-1.el9.noarch
selinux-policy-targeted-34.1.43-1.el9.noarch

How reproducible: on first GUI login

Steps to Reproduce:
1. Create a test user
    sudo useradd --groups wheel --selinux-user staff_u staff-user
    sudo passwd staff-user XXXXX

2. Log in as staff-user via GUI

3. Search for SELinux denials:
    sudo ausearch -m avc,user_avc

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(10/07/2022 11:13:04.685:416) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal 
type=PATH msg=audit(10/07/2022 11:13:04.685:416) : item=1 name=/home/staff-user/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/07/2022 11:13:04.685:416) : item=0 name=/home/staff-user/ inode=564098 dev=fd:02 mode=dir,700 ouid=staff-user ogid=staff-user rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/07/2022 11:13:04.685:416) : cwd=/ 
type=SYSCALL msg=audit(10/07/2022 11:13:04.685:416) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x5617553f6390 a1=0700 a2=0xffffffff a3=0x7f3d5c7cf3e0 items=2 ppid=4088 pid=4188 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=6 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/07/2022 11:13:04.685:416) : avc:  denied  { create } for  pid=4188 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 
----

Expected results:
No pulseaudio related SELinux denials.
Comment 1 Milos Malik 2022-10-07 09:41:41 UTC 
Actual results (permissive mode):
----
type=PROCTITLE msg=audit(10/07/2022 11:36:58.747:1744) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal 
type=PATH msg=audit(10/07/2022 11:36:58.747:1744) : item=1 name=/home/staff-user/.config inode=25945527 dev=fd:02 mode=dir,700 ouid=staff-user ogid=staff-user rdev=00:00 obj=staff_u:object_r:config_home_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/07/2022 11:36:58.747:1744) : item=0 name=/home/staff-user/ inode=564098 dev=fd:02 mode=dir,700 ouid=staff-user ogid=staff-user rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/07/2022 11:36:58.747:1744) : cwd=/ 
type=SYSCALL msg=audit(10/07/2022 11:36:58.747:1744) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x556b10355390 a1=0700 a2=0xffffffff a3=0x7f44500ff3e0 items=2 ppid=20514 pid=20536 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/07/2022 11:36:58.747:1744) : avc:  denied  { create } for  pid=20536 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(10/07/2022 11:36:58.756:1745) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal 
type=PATH msg=audit(10/07/2022 11:36:58.756:1745) : item=0 name=/run/user/1000/bus inode=40 dev=00:3c mode=socket,666 ouid=staff-user ogid=staff-user rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/07/2022 11:36:58.756:1745) : cwd=/ 
type=SOCKADDR msg=audit(10/07/2022 11:36:58.756:1745) : saddr={ saddr_fam=local path=/run/user/1000/bus } 
type=SYSCALL msg=audit(10/07/2022 11:36:58.756:1745) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xf a1=0x7ffd70fd9ca0 a2=0x14 a3=0x556b1037a530 items=1 ppid=20514 pid=20536 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/07/2022 11:36:58.756:1745) : avc:  denied  { write } for  pid=20536 comm=pulseaudio name=bus dev="tmpfs" ino=40 scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1 
----

[staff-user@localhost ~]$ systemctl --user status pulseaudio.service --no-pager
● pulseaudio.service - Sound Service
     Loaded: loaded (/usr/lib/systemd/user/pulseaudio.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-10-07 11:36:58 CEST; 3min 17s ago
TriggeredBy: ● pulseaudio.socket
   Main PID: 20536 (pulseaudio)
      Tasks: 3 (limit: 11036)
     Memory: 7.4M
        CPU: 102ms
     CGroup: /user.slice/user-1000.slice/user/session.slice/pulseaudio.service
             └─20536 /usr/bin/pulseaudio --daemonize=no --log-target=journal

Oct 07 11:36:58 localhost.localdomain systemd[20514]: Starting Sound Service...
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Disabling timer-based scheduling because running inside a VM.
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Disabling timer-based scheduling because running inside a VM.
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to open cookie file '/home/staff-user/.config/pulse/cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to load authentication key '/home/staff-user/.config/pulse/cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to open cookie file '/home/staff-user/.pulse-cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: Failed to load authentication key '/home/staff-user/.pulse-cookie': No such file or directory
Oct 07 11:36:58 localhost.localdomain pulseaudio[20536]: stat('/etc/pulse/default.pa.d'): No such file or directory
Oct 07 11:36:58 localhost.localdomain systemd[20514]: Started Sound Service.
Oct 07 11:37:23 localhost.localdomain pulseaudio[20536]: GetManagedObjects() failed: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: …n was broken.
Hint: Some lines were ellipsized, use -l to show in full.
[staff-user@localhost ~]$
Comment 3 Nikola Knazekova 2022-10-11 15:48:47 UTC 
commit a120005379c8629aa7b6d174d7c763e4f84fedc4
Author: Zdenek Pytela <zpytela>
Date:   Wed Oct 5 20:36:22 2022 +0200

    Allow pulseaudio create gnome content (~/.config)
    
    Addresses the following AVC denial:
    
    type=PROCTITLE msg=audit(10/03/2022 18:19:59.393:477) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
    type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=1 name=/home/username/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=0 name=/home/username/ inode=25197786 dev=fd:02 mode=dir,700 ouid=username ogid=username rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=SYSCALL msg=audit(10/03/2022 18:19:59.393:477) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55db1dc2a420 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=6693 pid=6748 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(10/03/2022 18:19:59.393:477) : avc:  denied  { create } for  pid=6748 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0
Comment 28 errata-xmlrpc 2023-05-09 08:16:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483
Note You need to log in before you can comment on or make changes to this bug.