Bug 433240 - security_compute_sid: invalid context
Summary: security_compute_sid: invalid context
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-17 23:08 UTC by Dominick Grift
Modified: 2008-02-18 16:58 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-18 16:58:24 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Dominick Grift 2008-02-17 23:08:14 UTC 
Description of problem:
Cannot run yum as unconfined_t (selinux_error: invalid context)

Version-Release number of selected component (if applicable):
selinux-policy-targeted 3.2.7-6

How reproducible:

1.
Create a new user domain and give the default role access to transition to
unconfined_r

2.
Log in as a user that is member of this userdomain and execute: sudo -r
unconfined_r -t unconfined_t sh

3.
execute yum update

  
Actual results:
type=SELINUX_ERR msg=audit(1203281421.657:32): security_compute_sid:  invalid
context myuserdomain:system_r:rpm_t:s0 for
scontext=myuserdomain:unconfined_r:unconfined_t:s0
tcontext=system_u:object_r:rpm_exec_t:s0 tclass=process

Expected results:
development               100% |=========================| 2.1 kB    00:00     
primary.sqlite.bz2        100% |=========================| 5.9 MB    00:16

Additional info:
Here is the module i used for this user domain:

policy_module(myuserdomain,1.0.0) 

########################################
#
# Declarations
#
userdom_base_user_template(super)
userdom_restricted_xwindows_user_template(basic)

########################################
#
# Super local policy
#
sysnet_dns_name_resolve(super_t)
corenet_all_recvfrom_unlabeled(super_t)

allow super_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(super_t)
corenet_tcp_sendrecv_all_nodes(super_t)
corenet_tcp_sendrecv_all_ports(super_t)
corenet_tcp_bind_all_nodes(super_t)
corenet_tcp_bind_all_ports(super_t)
corenet_tcp_connect_all_ports(super_t)

allow super_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(super_t)
corenet_udp_sendrecv_all_nodes(super_t)
corenet_udp_sendrecv_all_ports(super_t)
corenet_udp_bind_all_nodes(super_t)
corenet_udp_bind_all_ports(super_t)

allow super_t self:capability { dac_override dac_read_search kill sys_ptrace
sys_nice };
files_dontaudit_search_all_dirs(super_t)

selinux_get_enforce_mode(super_t)
seutil_domtrans_setfiles(super_t)
seutil_search_default_contexts(super_t)

logging_send_syslog_msg(super_t)

kernel_read_system_state(super_t)

domain_dontaudit_search_all_domains_state(super_t)
domain_dontaudit_ptrace_all_domains(super_t)

userdom_dontaudit_search_sysadm_home_dirs(super_t)
userdom_dontaudit_search_generic_user_home_dirs(super_t)

bool super_read_user_files false;
bool super_manage_user_files false;

if (super_read_user_files) {
   userdom_read_unpriv_users_home_content_files(super_t)
   userdom_read_unpriv_users_tmp_files(super_t)
}

if (super_manage_user_files) {
   userdom_manage_unpriv_users_home_content_dirs(super_t)
   userdom_read_unpriv_users_tmp_files(super_t)
   userdom_write_unpriv_users_tmp_files(super_t)
}

optional_policy(`
	logging_admin(super_t,super_r,{ super_devpts_t super_tty_device_t })
')

########################################
#
# Basic local policy
#
userdom_role_change_template(basic, super)
userdom_role_change_template(basic, unconfined)

optional_policy(`
	ut2004_per_role_template(basic, basic_t, basic_r)
')

optional_policy(`
	java_per_role_template(basic, basic_t, basic_r)
')

optional_policy(`
	mono_per_role_template(basic, basic_t, basic_r)
')

optional_policy(`
	gpg_per_role_template(basic, basic_usertype, basic_r)
')

optional_policy(`
	hal_dbus_chat(basic_t)
')

optional_policy(`
	init_read_utmp(basic_t)
')

optional_policy(`
	auth_list_pam_console_data(basic_t)
')

optional_policy(`
	kernel_read_fs_sysctls(basic_t)
')

optional_policy(`
	files_dontaudit_getattr_boot_dirs(basic_t)
')

optional_policy(`
	files_search_mnt(basic_t)
')

optional_policy(`
	fs_manage_noxattr_fs_files(basic_t)
')

optional_policy(`
	fs_manage_noxattr_fs_dirs(basic_t)
')

optional_policy(`
	fs_manage_noxattr_fs_dirs(basic_t)
')

optional_policy(`
	fs_getattr_noxattr_fs(basic_t)
')

optional_policy(`
	fs_read_noxattr_fs_symlinks(basic_t)
')

optional_policy(`
	networkmanager_dbus_chat(basic_t)
')

optional_policy(`
	bluetooth_dbus_chat(basic_t)
')

optional_policy(`
	gnomeclock_dbus_chat(basic_t)
')

optional_policy(`
	kerneloops_dbus_chat(basic_t)
')

userdom_dontaudit_use_sysadm_terms(basic_t)

allow basic_t self:capability sys_nice;

domain_read_all_domains_state(basic_t)
domain_getattr_all_domains(basic_t)

files_read_kernel_modules(basic_t)

modutils_read_module_config(basic_t)
modutils_read_module_deps(basic_t)

miscfiles_read_hwdata(basic_t)

sudo_per_role_template(basic, basic_t, basic_r)
seutil_run_newrole(basic_t, basic_r, { basic_tty_device_t basic_devpts_t })
Comment 1 Dominick Grift 2008-02-18 13:17:43 UTC 
Solved. It is no bug (more like a feature).

It works if i add the system_r to the userdomain (se-user) that also uses
unconfined_r.

Sorry for any inconvenience
Note You need to log in before you can comment on or make changes to this bug.