On Mon, 2013-12-09 at 19:28 +0000, fedorauser wrote:
It doesn't seem to work in permissive mode either.
There is no ~/.pulse in my home.
I've been playing with this a bit and this quick and dirty hack "fixed" it
for me:
cat > mysand.te <<EOF
policy_module(mysand, 1.0.0)
gen_require(`
type sandbox_web_client_t;
')
allow sandbox_web_client_t self:process setcap;
application_signull(sandbox_web_client_t)
domain_role_change_exemption(sandbox_web_client_t)
domain_system_change_exemption(sandbox_web_client_t)
allow sandbox_web_client_t self:process transition;
role system_r types sandbox_web_client_t;
EOF
make -f /usr/share/selinux/devel/Makefile mysand.pp
sudo semodule -i mysand.pp
Couple comments: not sure if the
"domain_role_change_exemption(sandbox_web_client_t)" is actually needed, but i
guess it would make sense if it does
I don't know why pulseaudio is determined to run with the system_r role but i suspect
it may be started by the dbus system bus? (in other distros, and refpolicy pulseaudio just
runs with the user role)
This is just a dirty hack
You might want to create a different sandbox with this functionality instead of extending
the existing sandbox_web_client_t one like it did in my example
To see how you can create custom sandbox policies:
https://www.youtube.com/watch?v=0PaNlkjXrWk
Make sure to restart your sandbox after you loaded this policy