Description of problem: Cannot run yum as unconfined_t (selinux_error: invalid context) Version-Release number of selected component (if applicable): selinux-policy-targeted 3.2.7-6 How reproducible: 1. Create a new user domain and give the default role access to transition to unconfined_r 2. Log in as a user that is member of this userdomain and execute: sudo -r unconfined_r -t unconfined_t sh 3. execute yum update Actual results: type=SELINUX_ERR msg=audit(1203281421.657:32): security_compute_sid: invalid context myuserdomain:system_r:rpm_t:s0 for scontext=myuserdomain:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=process Expected results: development 100% |=========================| 2.1 kB 00:00 primary.sqlite.bz2 100% |=========================| 5.9 MB 00:16 Additional info: Here is the module i used for this user domain: policy_module(myuserdomain,1.0.0) ######################################## # # Declarations # userdom_base_user_template(super) userdom_restricted_xwindows_user_template(basic) ######################################## # # Super local policy # sysnet_dns_name_resolve(super_t) corenet_all_recvfrom_unlabeled(super_t) allow super_t self:tcp_socket create_stream_socket_perms; corenet_tcp_sendrecv_all_if(super_t) corenet_tcp_sendrecv_all_nodes(super_t) corenet_tcp_sendrecv_all_ports(super_t) corenet_tcp_bind_all_nodes(super_t) corenet_tcp_bind_all_ports(super_t) corenet_tcp_connect_all_ports(super_t) allow super_t self:udp_socket { create_socket_perms listen }; corenet_udp_sendrecv_all_if(super_t) corenet_udp_sendrecv_all_nodes(super_t) corenet_udp_sendrecv_all_ports(super_t) corenet_udp_bind_all_nodes(super_t) corenet_udp_bind_all_ports(super_t) allow super_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; files_dontaudit_search_all_dirs(super_t) selinux_get_enforce_mode(super_t) seutil_domtrans_setfiles(super_t) seutil_search_default_contexts(super_t) logging_send_syslog_msg(super_t) kernel_read_system_state(super_t) domain_dontaudit_search_all_domains_state(super_t) domain_dontaudit_ptrace_all_domains(super_t) userdom_dontaudit_search_sysadm_home_dirs(super_t) userdom_dontaudit_search_generic_user_home_dirs(super_t) bool super_read_user_files false; bool super_manage_user_files false; if (super_read_user_files) { userdom_read_unpriv_users_home_content_files(super_t) userdom_read_unpriv_users_tmp_files(super_t) } if (super_manage_user_files) { userdom_manage_unpriv_users_home_content_dirs(super_t) userdom_read_unpriv_users_tmp_files(super_t) userdom_write_unpriv_users_tmp_files(super_t) } optional_policy(` logging_admin(super_t,super_r,{ super_devpts_t super_tty_device_t }) ') ######################################## # # Basic local policy # userdom_role_change_template(basic, super) userdom_role_change_template(basic, unconfined) optional_policy(` ut2004_per_role_template(basic, basic_t, basic_r) ') optional_policy(` java_per_role_template(basic, basic_t, basic_r) ') optional_policy(` mono_per_role_template(basic, basic_t, basic_r) ') optional_policy(` gpg_per_role_template(basic, basic_usertype, basic_r) ') optional_policy(` hal_dbus_chat(basic_t) ') optional_policy(` init_read_utmp(basic_t) ') optional_policy(` auth_list_pam_console_data(basic_t) ') optional_policy(` kernel_read_fs_sysctls(basic_t) ') optional_policy(` files_dontaudit_getattr_boot_dirs(basic_t) ') optional_policy(` files_search_mnt(basic_t) ') optional_policy(` fs_manage_noxattr_fs_files(basic_t) ') optional_policy(` fs_manage_noxattr_fs_dirs(basic_t) ') optional_policy(` fs_manage_noxattr_fs_dirs(basic_t) ') optional_policy(` fs_getattr_noxattr_fs(basic_t) ') optional_policy(` fs_read_noxattr_fs_symlinks(basic_t) ') optional_policy(` networkmanager_dbus_chat(basic_t) ') optional_policy(` bluetooth_dbus_chat(basic_t) ') optional_policy(` gnomeclock_dbus_chat(basic_t) ') optional_policy(` kerneloops_dbus_chat(basic_t) ') userdom_dontaudit_use_sysadm_terms(basic_t) allow basic_t self:capability sys_nice; domain_read_all_domains_state(basic_t) domain_getattr_all_domains(basic_t) files_read_kernel_modules(basic_t) modutils_read_module_config(basic_t) modutils_read_module_deps(basic_t) miscfiles_read_hwdata(basic_t) sudo_per_role_template(basic, basic_t, basic_r) seutil_run_newrole(basic_t, basic_r, { basic_tty_device_t basic_devpts_t })
Solved. It is no bug (more like a feature). It works if i add the system_r to the userdomain (se-user) that also uses unconfined_r. Sorry for any inconvenience