[refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio_t
@ 2012-09-18 11:07 Laurent Bigonville
  2012-09-19 10:30 ` Laurent Bigonville
  0 siblings, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2012-09-18 11:07 UTC (permalink / raw)
  To: refpolicy

Hi,

With the git HEAD of the refpolicy compiled with TYPE = standard and
both  UBAC = y and UBAC = n, I'm getting the following error:

type=SELINUX_ERR msg=audit(1347477364.713:4557): security_compute_sid:
invalid context unconfined_u:system_r:pulseaudio_t for
scontext=unconfined_u:system_r:pulseaudio_t
tcontext=unconfined_u:system_r:pulseaudio_t tclass=unix_stream_socket

This is causing pulseaudio to fail to start (due to dbus not being
happy) even in permissive mode:

Failed to connect to system bus: An SELinux policy prevents this sender
from sending this message to this recipient, 0 matched rules;
type="method_call", sender="(null)" (inactive)
interface="org.freedesktop.DBus" member="Hello" error name="(unset)"
requested_reply="0" destination="org.freedesktop.DBus" (bus)

Running pulseaudio unconfined is obviously allowing it to start.

An idea?

Cheers

Laurent Bigonville

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio_t
  2012-09-18 11:07 [refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio_t Laurent Bigonville
@ 2012-09-19 10:30 ` Laurent Bigonville
  2012-09-20 13:04   ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2012-09-19 10:30 UTC (permalink / raw)
  To: refpolicy

Le Tue, 18 Sep 2012 13:07:07 +0200,
Laurent Bigonville <bigon@debian.org> a ?crit :

> Hi,
> 
> With the git HEAD of the refpolicy compiled with TYPE = standard and
> both  UBAC = y and UBAC = n, I'm getting the following error:
> 
> type=SELINUX_ERR msg=audit(1347477364.713:4557): security_compute_sid:
> invalid context unconfined_u:system_r:pulseaudio_t for
> scontext=unconfined_u:system_r:pulseaudio_t
> tcontext=unconfined_u:system_r:pulseaudio_t tclass=unix_stream_socket

OK so this has been fixed by adding the system_r role to the
unconfined_u user. It seems that Fedora is already doing this, any
reason it's not in the refpolicy?

Also, pulse audio is now running:

unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0  0.1 304728 6716 ? S<l 00:13   0:01 /usr/bin/pulseaudio --start --log-target=syslog

Do we also want to have pulseaudio transition to his own context when
started in the user session?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio_t
  2012-09-19 10:30 ` Laurent Bigonville
@ 2012-09-20 13:04   ` Christopher J. PeBenito
  2012-09-20 13:15     ` Laurent Bigonville
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2012-09-20 13:04 UTC (permalink / raw)
  To: refpolicy

On 09/19/12 06:30, Laurent Bigonville wrote:
> Le Tue, 18 Sep 2012 13:07:07 +0200,
> Laurent Bigonville <bigon@debian.org> a ?crit :
> 
>> Hi,
>>
>> With the git HEAD of the refpolicy compiled with TYPE = standard and
>> both  UBAC = y and UBAC = n, I'm getting the following error:
>>
>> type=SELINUX_ERR msg=audit(1347477364.713:4557): security_compute_sid:
>> invalid context unconfined_u:system_r:pulseaudio_t for
>> scontext=unconfined_u:system_r:pulseaudio_t
>> tcontext=unconfined_u:system_r:pulseaudio_t tclass=unix_stream_socket
> 
> OK so this has been fixed by adding the system_r role to the
> unconfined_u user. It seems that Fedora is already doing this, any
> reason it's not in the refpolicy?
> 
> Also, pulse audio is now running:
> 
> unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0  0.1 304728 6716 ? S<l 00:13   0:01 /usr/bin/pulseaudio --start --log-target=syslog
> 
> Do we also want to have pulseaudio transition to his own context when
> started in the user session?

I'm no expert in pulseaudio, but I suppose it could make sense.  The transitions to pulseaudio_t are from initrc_t, mozilla_t, and system_dbusd_t right now.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio_t
  2012-09-20 13:04   ` Christopher J. PeBenito
@ 2012-09-20 13:15     ` Laurent Bigonville
  2012-09-21 14:49       ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Laurent Bigonville @ 2012-09-20 13:15 UTC (permalink / raw)
  To: refpolicy

Le Thu, 20 Sep 2012 09:04:15 -0400,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 09/19/12 06:30, Laurent Bigonville wrote:
> > Le Tue, 18 Sep 2012 13:07:07 +0200,
> > Laurent Bigonville <bigon@debian.org> a ?crit :
> > 
> > unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0
> > 0.1 304728 6716 ? S<l 00:13   0:01 /usr/bin/pulseaudio --start
> > --log-target=syslog
> > 
> > Do we also want to have pulseaudio transition to his own context
> > when started in the user session?
> 
> I'm no expert in pulseaudio, but I suppose it could make sense.  The
> transitions to pulseaudio_t are from initrc_t, mozilla_t, and
> system_dbusd_t right now.
> 

I meant this is already happening now, with the current version of the
policy. unconfined_t is also transitioning to pulseaudio_t.

And the role is also transitioning from unconfined_r to system_r which
lead to my other question about adding the system_r role to the
unconfined user (which is the case in fedora policy).

Cheers

Laurent Bigonville

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio_t
  2012-09-20 13:15     ` Laurent Bigonville
@ 2012-09-21 14:49       ` Daniel J Walsh
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2012-09-21 14:49 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/20/2012 09:15 AM, Laurent Bigonville wrote:
> Le Thu, 20 Sep 2012 09:04:15 -0400, "Christopher J. PeBenito"
> <cpebenito@tresys.com> a ?crit :
> 
>> On 09/19/12 06:30, Laurent Bigonville wrote:
>>> Le Tue, 18 Sep 2012 13:07:07 +0200, Laurent Bigonville
>>> <bigon@debian.org> a ?crit :
>>> 
>>> unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0 0.1
>>> 304728 6716 ? S<l 00:13   0:01 /usr/bin/pulseaudio --start 
>>> --log-target=syslog
>>> 
>>> Do we also want to have pulseaudio transition to his own context when
>>> started in the user session?
>> 
>> I'm no expert in pulseaudio, but I suppose it could make sense.  The 
>> transitions to pulseaudio_t are from initrc_t, mozilla_t, and 
>> system_dbusd_t right now.
>> 
> 
> I meant this is already happening now, with the current version of the 
> policy. unconfined_t is also transitioning to pulseaudio_t.
> 
> And the role is also transitioning from unconfined_r to system_r which lead
> to my other question about adding the system_r role to the unconfined user
> (which is the case in fedora policy).
> 
> Cheers
> 
> Laurent Bigonville _______________________________________________ 
> refpolicy mailing list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


unconfined_t is transitioning to a domain running as system_r which later
transitions to pulseaudio_t

On F18, I find.

 setrans unconfined_t pulseaudio_t
unconfined_t --> xserver_t --> insmod_t --> initrc_t --> pulseaudio_t
unconfined_t --> initrc_t --> pulseaudio_t



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBcfncACgkQrlYvE4MpobPeyQCfep/POeM6c8OFARDli91VUmwH
EGYAn1gDAUdSVPeUC9nKtOfYh2D72w6j
=fNHo
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-09-21 14:49 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-18 11:07 [refpolicy] security_compute_sid: invalid context unconfined_u:system_r:pulseaudio_t Laurent Bigonville
2012-09-19 10:30 ` Laurent Bigonville
2012-09-20 13:04   ` Christopher J. PeBenito
2012-09-20 13:15     ` Laurent Bigonville
2012-09-21 14:49       ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.