FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-03-2007, 06:20 PM
"Tom London"
 
Default pulseaudio, policykit - works in permissive, fails in enforcing

Running latest Rawhide.

I've noticed the following problem that I cannot track down fully.

Pulseaudio seems to have stopped working when in enforcing mode,
unless I manually change the permissions to the numerous /dev/ files
to 666 (e.g., /dev/*dsp*, /dev/audio* /dev/snd/*, ....)

I get no AVCs. Below are snippets from /var/log/messages.

My (simpleminded) interpretation is that in permissive mode, policykit
is running but not when in enforcing.

Any suggestions on how to track this down further?

tom

Permissive:

Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: Failed to show
grant dialog: Unable to lookup exe for caller
Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: PolicyKit
responded with 'auth_admin_keep_always'
Dec 3 09:48:10 localhost pulseaudio[2947]: pid.c: Stale PID file, overwriting.
Dec 3 09:48:10 localhost pulseaudio[2947]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Dec 3 09:48:12 localhost pulseaudio[2947]: module.c: Failed to load
module "module-rtp-recv" (argument: ""): initialization failed.
Dec 3 09:48:12 localhost pulseaudio[2947]: module-gconf.c:
pa_module_load() failed



Enforcing:

Dec 3 10:59:27 localhost pulseaudio[3995]: pid.c: Stale PID file, overwriting.
Dec 3 10:59:27 localhost pulseaudio[3995]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
PCM device hw:0: No such device
Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
module "module-alsa-sink" (argument: "device_id=0
sink_name=alsa_output.pci_8086_27d8_alsa_playback_ 0"): initialization
failed.
Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
PCM device hw:0: No such device
Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
module "module-alsa-source" (argument: "device_id=0
source_name=alsa_input.pci_8086_27d8_alsa_capture_ 0"): initialization
failed.
Dec 3 10:59:29 localhost pulseaudio[3995]: module.c: Failed to load
module "module-rtp-recv" (argument: ""): initialization failed.
Dec 3 10:59:29 localhost pulseaudio[3995]: module-gconf.c:
pa_module_load() failed


--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2007, 10:22 PM
"Tom London"
 
Default pulseaudio, policykit - works in permissive, fails in enforcing

On Dec 3, 2007 11:20 AM, Tom London <selinux@gmail.com> wrote:
> Running latest Rawhide.
>
> I've noticed the following problem that I cannot track down fully.
>
> Pulseaudio seems to have stopped working when in enforcing mode,
> unless I manually change the permissions to the numerous /dev/ files
> to 666 (e.g., /dev/*dsp*, /dev/audio* /dev/snd/*, ....)
>
> I get no AVCs. Below are snippets from /var/log/messages.
>
> My (simpleminded) interpretation is that in permissive mode, policykit
> is running but not when in enforcing.
>
> Any suggestions on how to track this down further?
>
> tom
>
> Permissive:
>
> Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: Failed to show
> grant dialog: Unable to lookup exe for caller
> Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: PolicyKit
> responded with 'auth_admin_keep_always'
> Dec 3 09:48:10 localhost pulseaudio[2947]: pid.c: Stale PID file, overwriting.
> Dec 3 09:48:10 localhost pulseaudio[2947]: main.c:
> setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> Dec 3 09:48:12 localhost pulseaudio[2947]: module.c: Failed to load
> module "module-rtp-recv" (argument: ""): initialization failed.
> Dec 3 09:48:12 localhost pulseaudio[2947]: module-gconf.c:
> pa_module_load() failed
>
>
>
> Enforcing:
>
> Dec 3 10:59:27 localhost pulseaudio[3995]: pid.c: Stale PID file, overwriting.
> Dec 3 10:59:27 localhost pulseaudio[3995]: main.c:
> setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
> PCM device hw:0: No such device
> Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
> module "module-alsa-sink" (argument: "device_id=0
> sink_name=alsa_output.pci_8086_27d8_alsa_playback_ 0"): initialization
> failed.
> Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
> PCM device hw:0: No such device
> Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
> module "module-alsa-source" (argument: "device_id=0
> source_name=alsa_input.pci_8086_27d8_alsa_capture_ 0"): initialization
> failed.
> Dec 3 10:59:29 localhost pulseaudio[3995]: module.c: Failed to load
> module "module-rtp-recv" (argument: ""): initialization failed.
> Dec 3 10:59:29 localhost pulseaudio[3995]: module-gconf.c:
> pa_module_load() failed
>

I ran 'semodule -DB' and rebooted in enforcing mode. I attach below
the complete list of AVCs from /var/log/audit/audit.log.

Eliminating some of the obvious ones (e.g., from NetworkManager, etc.)
leaves the 'allows' below. Do any of them seem likely?

#============= avahi_t ==============
allow avahi_t init_t:fd use;

#============= consolekit_t ==============
allow consolekit_t NetworkManager_trocess ptrace;
allow consolekit_t init_t:fd use;
allow consolekit_t xdm_trocess ptrace;

#============= hald_t ==============
allow hald_t cupsd_config_trocess { siginh rlimitinh noatsecure };
allow hald_t dmidecode_trocess { siginh rlimitinh noatsecure };
allow hald_t hald_acl_trocess { siginh rlimitinh noatsecure };
allow hald_t init_t:fd use;
allow hald_t udev_trocess { siginh rlimitinh noatsecure };

#============= insmod_t ==============
allow insmod_t tty_device_t:chr_file { read write };
allow insmod_t xdm_t:fd use;
allow insmod_t xdm_xserver_t:tcp_socket { read write };
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
allow insmod_t xserver_log_t:file write;

#============= pam_t ==============
allow pam_t xdm_t:fd use;

#============= setrans_t ==============
allow setrans_t init_t:fd use;
allow setrans_t security_t:filesystem getattr;

#============= setroubleshootd_t ==============
allow setroubleshootd_t init_t:fd use;
allow setroubleshootd_t rpm_var_lib_t:dir write;

#============= system_chkpwd_t ==============
allow system_chkpwd_t security_t:dir search;
allow system_chkpwd_t security_t:filesystem getattr;

#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_trocess { siginh rlimitinh noatsecure };

#============= udev_t ==============
allow udev_t pam_console_trocess { siginh rlimitinh noatsecure };

#============= updpwd_t ==============
allow updpwd_t security_t:dir search;
allow updpwd_t security_t:filesystem getattr;
allow updpwd_t selinux_config_t:dir search;

#============= xdm_t ==============
allow xdm_t pam_console_trocess { siginh rlimitinh noatsecure };
allow xdm_t system_chkpwd_trocess { siginh rlimitinh noatsecure };
allow xdm_t unconfined_trocess { siginh noatsecure };
allow xdm_t updpwd_trocess { siginh rlimitinh noatsecure };
allow xdm_t xdm_dbusd_trocess { siginh rlimitinh noatsecure };
allow xdm_t xdm_xserver_t:dir search;

#============= xdm_xserver_t ==============
allow xdm_xserver_t insmod_trocess { siginh rlimitinh noatsecure };
allow xdm_xserver_t security_t:dir search;
allow xdm_xserver_t security_t:filesystem getattr;
allow xdm_xserver_t selinux_config_t:dir search;


tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2007, 10:54 PM
"Tom London"
 
Default pulseaudio, policykit - works in permissive, fails in enforcing

On Dec 3, 2007 3:50 PM, Tom London <selinux@gmail.com> wrote:
> Forgot to attach the AVCs......
>
> Does this one look suspicious?
>
> type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>

Attached compressed....sigh

tom
--
Tom London
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2007, 05:16 PM
"Tom London"
 
Default pulseaudio, policykit - works in permissive, fails in enforcing

On Dec 3, 2007 3:54 PM, Tom London <selinux@gmail.com> wrote:
>
> On Dec 3, 2007 3:50 PM, Tom London <selinux@gmail.com> wrote:
> > Forgot to attach the AVCs......
> >
> > Does this one look suspicious?
> >
> > type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
> > pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> > type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
> > success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
> > pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> > exe="/usr/libexec/ck-get-x11-display-device"
> > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> >
>
> Attached compressed....sigh
>
Reran the above in permissive mode. This seemed suspicious:

type=AVC msg=audit(1196779565.801:132): avc: denied { search } for
pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1196779565.801:132): avc: denied { read } for
pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5
success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585
pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
exe="/usr/libexec/ck-get-x11-display-device"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for
pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc
ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197
success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0
ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
exe="/usr/libexec/ck-get-x11-display-device"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

So, I did a 'audit2allow -M localpulse2' on the above.

Here is the .te file:

module localpulse2 1.0;

require {
type xdm_xserver_t;
type xdm_t;
class dir search;
class file { read getattr };
}

#============= xdm_t ==============
allow xdm_t xdm_xserver_t:dir search;
allow xdm_t xdm_xserver_t:file { read getattr };

'semodule -i localpulse2.pp' makes pulseaudio work.

Should this be added?

tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-05-2007, 03:25 PM
Daniel J Walsh
 
Default pulseaudio, policykit - works in permissive, fails in enforcing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> On Dec 3, 2007 3:54 PM, Tom London <selinux@gmail.com> wrote:
>> On Dec 3, 2007 3:50 PM, Tom London <selinux@gmail.com> wrote:
>>> Forgot to attach the AVCs......
>>>
>>> Does this one look suspicious?
>>>
>>> type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
>>> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
>>> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
>>> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
>>> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
>>> exe="/usr/libexec/ck-get-x11-display-device"
>>> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>>>
>> Attached compressed....sigh
>>
> Reran the above in permissive mode. This seemed suspicious:
>
> type=AVC msg=audit(1196779565.801:132): avc: denied { search } for
> pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> type=AVC msg=audit(1196779565.801:132): avc: denied { read } for
> pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5
> success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585
> pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for
> pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc
> ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197
> success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0
> ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
> So, I did a 'audit2allow -M localpulse2' on the above.
>
> Here is the .te file:
>
> module localpulse2 1.0;
>
> require {
> type xdm_xserver_t;
> type xdm_t;
> class dir search;
> class file { read getattr };
> }
>
> #============= xdm_t ==============
> allow xdm_t xdm_xserver_t:dir search;
> allow xdm_t xdm_xserver_t:file { read getattr };
>
> 'semodule -i localpulse2.pp' makes pulseaudio work.
>
> Should this be added?
>
> tom
I have added this to the latest rawhide policy 3.2.2-1

BTW: a handy tool to see what consolekit thinks of you is


> ck-list-sessions
Session2:
uid = '3267'
realname = 'Daniel J Walsh,,978-392-3130,508-485-6146'
seat = 'Seat1'
session-type = '
active = TRUE
x11-display = ':0'
x11-display-device = '/dev/tty7'
display-device = '
remote-host-name = '
is-local = TRUE
on-since = '2007-12-04T18:46:05Z'


If it does not show active, then consolekit thinks you are not on the
console and will not change the permissions on the devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVtD7rlYvE4MpobMRAhu3AJoDabDb46sprRHbhG1hys zuxe3ivACgh/Fu
9g6WxQLmLHKd/50xwZh5tRg=
=em8+
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 08:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org