SELINUX_ERR during update of libgnome

Daniel J Walsh dwalsh at redhat.com
Fri Dec 21 05:58:23 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> More from today's update, this time running permissive:
> 
> type=SELINUX_ERR msg=audit(1198161003.852:35): security_compute_sid:
> invalid context unconfined_u:unconfined_r:useradd_t:s0 for
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0
> tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1198161003.852:35): arch=40000003 syscall=11
> success=yes exit=0 a0=81c0ee8 a1=81c0248 a2=81bfbc8 a3=0 items=0
> ppid=4036 pid=4037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
> subj=unconfined_u:unconfined_r:useradd_t:s0 key=(null)
> type=USER_CHAUTHTOK msg=audit(1198161003.958:36): user pid=4037 uid=0
> auid=500 subj=unconfined_u:unconfined_r:useradd_t:s0 msg='op=adding
> user acct=gdm exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=?
> res=failed)'
> type=SELINUX_ERR msg=audit(1198161003.960:37): security_compute_sid:
> invalid context unconfined_u:unconfined_r:useradd_t:s0 for
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0
> tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1198161003.960:37): arch=40000003 syscall=11
> success=yes exit=0 a0=81c0058 a1=81bfda0 a2=81bfe38 a3=0 items=0
> ppid=4036 pid=4038 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="usermod" exe="/usr/sbin/usermod"
> subj=unconfined_u:unconfined_r:useradd_t:s0 key=(null)
> type=USER_CHAUTHTOK msg=audit(1198161003.993:38): user pid=4038 uid=0
> auid=500 subj=unconfined_u:unconfined_r:useradd_t:s0 msg='op=changing
> user shell acct=gdm exe="/usr/sbin/usermod" (hostname=?, addr=?,
> terminal=? res=success)'
> 
> from around here:
>   Updating  : gtk2-devel                   ####################### [19/62]
>   Updating  : gdm                          ####################### [20/62]
>   Updating  : ipsec-tools                  ####################### [21/62]
> 
> 
> I'd like to understand the issue here.
> 
> Is the error message saying that a transition to
> unconfined_u:unconfined_r:useradd_t:s0 from
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0 hasn't be allowed?
> 
> tom
Yes this is saying the unconfined_r:rpm_script_t can not transition to
unconfined_r:useradd_t

This is an RBAC problem.  Tomorrows policy will transtion from
unconfined_r to system_r when unconfined_t runs rpm.

This should fix the problem.   I am fully turning on RBAC and will
probably have some hiccups.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHa1X+rlYvE4MpobMRAmqmAJ9frDkWz/m+fK/LrhaQvNSq18HlQgCgo8C1
qTnOhZyX46wY4laQeWDWMyM=
=JjwJ
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list