FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-21-2010, 02:47 PM
Daniel J Walsh
 
Default sound within sandbox_web_t type and permissive type sandbox_web_client_t

On 06/21/2010 06:42 AM, Christoph A. wrote:
> Hi,
>
> I can remember that while using F12 I had sound within sandbox_web_t
> running firefox. Since I'm using F13 sound within the sandbox
> disappeared and while running a sandbox I constantly (every 20 seconds)
> get abrt notifications that pulsaudio crashed.
>
> pulseaudio version:
> pulseaudio-0.9.21-6.fc13
>
>
> audit.log contains following lines:
> type=ANOM_ABEND msg=audit(1277115690.389:210): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5913 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115695.613:211): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5924 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115700.998:212): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5936 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115706.240:213): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_ t:s0:c633,c897
> pid=5947 comm="pulseaudio" sig=6
> [...]
>
> Is someone experiencing the same problem?
> If needed I can add the pulseaudio abrt backtrace.
>
>
> My second question also regarding sandboxes:
>
> This is an AVC I frequently come across:
> type=AVC msg=audit(1277029467.183:2147): avc: denied { read write } for
> pid=3038 comm="gvfs-fuse-daemo" name="fuse" dev=devtmpfs ino=9048
> scontext=unconfined_u:unconfined_r:sandbox_web_cli ent_t:s0:c503,c936
> tcontext=system_ubject_r:fuse_device_t:s0 tclass=chr_file
>
> The troubleshooter tells me that this type is running in permissive
> mode. Is this supposed to be like that (default) or is this a
> misconfiguration on my side?
>
> [gvfs-fuse-daemo has a permissive type (sandbox_web_client_t). This
> access was not denied.]
>
> kind regards,
> Christoph
No the setroubleshooter is wrong. What it should be telling you is that
the syscall that generated the AVC did not get denied. The tool
mistakenly sees this and assumes that the process was permissive. We
need to fix setroubleshoot to check the permissive flag in policy if the
success=yes flag is set.

There is a bug report open on sound not working in F13 when run under
sandbox. It seems to work on F14.

Miroslav is working on this problem.
>
>
>
>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 06-22-2010, 12:20 PM
Miroslav Grepl
 
Default sound within sandbox_web_t type and permissive type sandbox_web_client_t

On 06/22/2010 01:24 AM, Christoph A. wrote:

On 06/21/2010 04:47 PM, Daniel J Walsh wrote:


No the setroubleshooter is wrong. What it should be telling you is that
the syscall that generated the AVC did not get denied. The tool
mistakenly sees this and assumes that the process was permissive. We
need to fix setroubleshoot to check the permissive flag in policy if the
success=yes flag is set.



Should I file a bugreport against this or is there already one?



There is a bug report open on sound not working in F13 when run under
sandbox. It seems to work on F14.

Miroslav is working on this problem.



Nice to here that someone is already tanking care of that issue.
Could you point me to the bugreport?



Bug #602768



Regards,

Miroslav


kind regards,
Christoph




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 11:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org