SELINUX_ERR during update of libgnome

Stephen Smalley sds at tycho.nsa.gov
Thu Dec 20 19:38:29 UTC 2007 

On Thu, 2007-12-20 at 06:34 -0800, Tom London wrote:
> More from today's update, this time running permissive:
> 
> type=SELINUX_ERR msg=audit(1198161003.852:35): security_compute_sid:
> invalid context unconfined_u:unconfined_r:useradd_t:s0 for
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0
> tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1198161003.852:35): arch=40000003 syscall=11
> success=yes exit=0 a0=81c0ee8 a1=81c0248 a2=81bfbc8 a3=0 items=0
> ppid=4036 pid=4037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
> subj=unconfined_u:unconfined_r:useradd_t:s0 key=(null)
> type=USER_CHAUTHTOK msg=audit(1198161003.958:36): user pid=4037 uid=0
> auid=500 subj=unconfined_u:unconfined_r:useradd_t:s0 msg='op=adding
> user acct=gdm exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=?
> res=failed)'
> type=SELINUX_ERR msg=audit(1198161003.960:37): security_compute_sid:
> invalid context unconfined_u:unconfined_r:useradd_t:s0 for
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0
> tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1198161003.960:37): arch=40000003 syscall=11
> success=yes exit=0 a0=81c0058 a1=81bfda0 a2=81bfe38 a3=0 items=0
> ppid=4036 pid=4038 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 comm="usermod" exe="/usr/sbin/usermod"
> subj=unconfined_u:unconfined_r:useradd_t:s0 key=(null)
> type=USER_CHAUTHTOK msg=audit(1198161003.993:38): user pid=4038 uid=0
> auid=500 subj=unconfined_u:unconfined_r:useradd_t:s0 msg='op=changing
> user shell acct=gdm exe="/usr/sbin/usermod" (hostname=?, addr=?,
> terminal=? res=success)'
> 
> from around here:
>   Updating  : gtk2-devel                   ####################### [19/62]
>   Updating  : gdm                          ####################### [20/62]
>   Updating  : ipsec-tools                  ####################### [21/62]
> 
> 
> I'd like to understand the issue here.
> 
> Is the error message saying that a transition to
> unconfined_u:unconfined_r:useradd_t:s0 from
> scontext=unconfined_u:unconfined_r:rpm_script_t:s0 hasn't be allowed?

It means that the new context computed by a transition rule (e.g. a
type, role, and/or range transition rule) in the policy upon execution
of a program is not a valid context, i.e. the user isn't authorized for
the role or the role isn't authorized for the type or the user isn't
authorized for the range.

These kinds of errors were automatically turned into role ... types ...;
rules by the old audit2allow, pre-sepolgen.  That's a regression in the
new audit2allow/sepolgen.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list