Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   sound within sandbox_web_t type and permissive type sandbox_web_client_t (http://www.linux-archive.org/fedora-selinux-support/388899-sound-within-sandbox_web_t-type-permissive-type-sandbox_web_client_t.html)

Daniel J Walsh 06-21-2010 02:47 PM

sound within sandbox_web_t type and permissive type sandbox_web_client_t
 
On 06/21/2010 06:42 AM, Christoph A. wrote:
> Hi,
>
> I can remember that while using F12 I had sound within sandbox_web_t
> running firefox. Since I'm using F13 sound within the sandbox
> disappeared and while running a sandbox I constantly (every 20 seconds)
> get abrt notifications that pulsaudio crashed.
>
> pulseaudio version:
> pulseaudio-0.9.21-6.fc13
>
>
> audit.log contains following lines:
> type=ANOM_ABEND msg=audit(1277115690.389:210): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5913 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115695.613:211): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5924 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115700.998:212): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5936 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115706.240:213): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5947 comm="pulseaudio" sig=6
> [...]
>
> Is someone experiencing the same problem?
> If needed I can add the pulseaudio abrt backtrace.
>
>
> My second question also regarding sandboxes:
>
> This is an AVC I frequently come across:
> type=AVC msg=audit(1277029467.183:2147): avc: denied { read write } for
> pid=3038 comm="gvfs-fuse-daemo" name="fuse" dev=devtmpfs ino=9048
> scontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c503,c936
> tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file
>
> The troubleshooter tells me that this type is running in permissive
> mode. Is this supposed to be like that (default) or is this a
> misconfiguration on my side?
>
> [gvfs-fuse-daemo has a permissive type (sandbox_web_client_t). This
> access was not denied.]
>
> kind regards,
> Christoph
No the setroubleshooter is wrong. What it should be telling you is that
the syscall that generated the AVC did not get denied. The tool
mistakenly sees this and assumes that the process was permissive. We
need to fix setroubleshoot to check the permissive flag in policy if the
success=yes flag is set.

There is a bug report open on sound not working in F13 when run under
sandbox. It seems to work on F14.

Miroslav is working on this problem.
>
>
>
>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 06-22-2010 12:20 PM

sound within sandbox_web_t type and permissive type sandbox_web_client_t
 
On 06/22/2010 01:24 AM, Christoph A. wrote:

On 06/21/2010 04:47 PM, Daniel J Walsh wrote:


No the setroubleshooter is wrong. What it should be telling you is that
the syscall that generated the AVC did not get denied. The tool
mistakenly sees this and assumes that the process was permissive. We
need to fix setroubleshoot to check the permissive flag in policy if the
success=yes flag is set.



Should I file a bugreport against this or is there already one?



There is a bug report open on sound not working in F13 when run under
sandbox. It seems to work on F14.

Miroslav is working on this problem.



Nice to here that someone is already tanking care of that issue.
Could you point me to the bugreport?



Bug #602768



Regards,

Miroslav


kind regards,
Christoph




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 07:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.