Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   sound within sandbox_web_t type and permissive type sandbox_web_client_t (http://www.linux-archive.org/fedora-selinux-support/388797-sound-within-sandbox_web_t-type-permissive-type-sandbox_web_client_t.html)

"Christoph A." 06-21-2010 10:42 AM

sound within sandbox_web_t type and permissive type sandbox_web_client_t
 
Hi,

I can remember that while using F12 I had sound within sandbox_web_t
running firefox. Since I'm using F13 sound within the sandbox
disappeared and while running a sandbox I constantly (every 20 seconds)
get abrt notifications that pulsaudio crashed.

pulseaudio version:
pulseaudio-0.9.21-6.fc13


audit.log contains following lines:
type=ANOM_ABEND msg=audit(1277115690.389:210): auid=500 uid=500 gid=500
ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
pid=5913 comm="pulseaudio" sig=6
type=ANOM_ABEND msg=audit(1277115695.613:211): auid=500 uid=500 gid=500
ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
pid=5924 comm="pulseaudio" sig=6
type=ANOM_ABEND msg=audit(1277115700.998:212): auid=500 uid=500 gid=500
ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
pid=5936 comm="pulseaudio" sig=6
type=ANOM_ABEND msg=audit(1277115706.240:213): auid=500 uid=500 gid=500
ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
pid=5947 comm="pulseaudio" sig=6
[...]

Is someone experiencing the same problem?
If needed I can add the pulseaudio abrt backtrace.


My second question also regarding sandboxes:

This is an AVC I frequently come across:
type=AVC msg=audit(1277029467.183:2147): avc: denied { read write } for
pid=3038 comm="gvfs-fuse-daemo" name="fuse" dev=devtmpfs ino=9048
scontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c503,c936
tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file

The troubleshooter tells me that this type is running in permissive
mode. Is this supposed to be like that (default) or is this a
misconfiguration on my side?

[gvfs-fuse-daemo has a permissive type (sandbox_web_client_t). This
access was not denied.]

kind regards,
Christoph





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

"Christoph A." 06-21-2010 11:24 PM

sound within sandbox_web_t type and permissive type sandbox_web_client_t
 
On 06/21/2010 04:47 PM, Daniel J Walsh wrote:
> No the setroubleshooter is wrong. What it should be telling you is that
> the syscall that generated the AVC did not get denied. The tool
> mistakenly sees this and assumes that the process was permissive. We
> need to fix setroubleshoot to check the permissive flag in policy if the
> success=yes flag is set.

Should I file a bugreport against this or is there already one?

> There is a bug report open on sound not working in F13 when run under
> sandbox. It seems to work on F14.
>
> Miroslav is working on this problem.

Nice to here that someone is already tanking care of that issue.
Could you point me to the bugreport?

kind regards,
Christoph

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 06-22-2010 12:27 PM

sound within sandbox_web_t type and permissive type sandbox_web_client_t
 
On 06/21/2010 07:24 PM, Christoph A. wrote:
> On 06/21/2010 04:47 PM, Daniel J Walsh wrote:
>> No the setroubleshooter is wrong. What it should be telling you is that
>> the syscall that generated the AVC did not get denied. The tool
>> mistakenly sees this and assumes that the process was permissive. We
>> need to fix setroubleshoot to check the permissive flag in policy if the
>> success=yes flag is set.
>
> Should I file a bugreport against this or is there already one?
>
Yes
>> There is a bug report open on sound not working in F13 when run under
>> sandbox. It seems to work on F14.
>>
>> Miroslav is working on this problem.
>
> Nice to here that someone is already tanking care of that issue.
> Could you point me to the bugreport?
>
Miroslav responded with Bug #602768
> kind regards,
> Christoph
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 01:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.