Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the "remote" screen (which is attached via HDMI).
This problem only occurs within a sandboxed firefox (but not in "natively" run firefox).
Can this be fixed via a changing certain settings or is this a bug?
thanks!
-------------------------------------------------
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Sun, 2013-12-08 at 20:54 +0000, fedorauser wrote:
Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the "remote" screen (which is attached via HDMI).
Does it work with SELinux is permissive mode? (just a test)
I am not so familiar with sandbox but the technology has at least two elements to consider.
1. the SELinux policy: difficulties with policy are usually easy to fix
2. mount name spaces: issues with regard to this are probably harder to solve.
By determining whether it works in permissive mode you might be able quickly rule out an issue with 1.
I can speculate but that's probably not so constructive.
A simple explanation of the mount name space is that sandbox has its own vie of the home directory. So it might not aware (see) of the pulse audio socket. So it might not be able to use the sound server, which might be needed for the hdmi-audio functionality
That is speculation at this point though
On Sun, 08 Dec 2013 20:54:28 +0000 fedorauser fedorauser@vfemail.net wrote:
Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the "remote" screen (which is attached via HDMI).
This problem only occurs within a sandboxed firefox (but not in "natively" run firefox).
Can this be fixed via a changing certain settings or is this a bug?
thanks!
Try to include ~/.pulse into sandboxed directory.
It doesn't seem to work in permissive mode either.
There is no ~/.pulse in my home.
-------------------------------------------------
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Mon, 2013-12-09 at 19:28 +0000, fedorauser wrote:
It doesn't seem to work in permissive mode either.
There is no ~/.pulse in my home.
I've been playing with this a bit and this quick and dirty hack "fixed" it for me:
cat > mysand.te <<EOF policy_module(mysand, 1.0.0)
gen_require(` type sandbox_web_client_t; ')
allow sandbox_web_client_t self:process setcap;
application_signull(sandbox_web_client_t)
domain_role_change_exemption(sandbox_web_client_t) domain_system_change_exemption(sandbox_web_client_t)
allow sandbox_web_client_t self:process transition; role system_r types sandbox_web_client_t; EOF
make -f /usr/share/selinux/devel/Makefile mysand.pp
sudo semodule -i mysand.pp
Couple comments: not sure if the "domain_role_change_exemption(sandbox_web_client_t)" is actually needed, but i guess it would make sense if it does
I don't know why pulseaudio is determined to run with the system_r role but i suspect it may be started by the dbus system bus? (in other distros, and refpolicy pulseaudio just runs with the user role)
This is just a dirty hack
You might want to create a different sandbox with this functionality instead of extending the existing sandbox_web_client_t one like it did in my example
To see how you can create custom sandbox policies:
https://www.youtube.com/watch?v=0PaNlkjXrWk
Make sure to restart your sandbox after you loaded this policy
On Tue, 2013-12-10 at 00:01 +0100, Dominick Grift wrote:
On Mon, 2013-12-09 at 19:28 +0000, fedorauser wrote:
It doesn't seem to work in permissive mode either.
There is no ~/.pulse in my home.
I've been playing with this a bit and this quick and dirty hack "fixed" it for me:
Ive recorded my "tinkering" session for references purposes i guess:
https://www.youtube.com/watch?v=RmfjinMJ-ns
Again, this is really not a good solution. Instead we should figure out why pulseaudio is determined to role change to system_r, and deal with that
On Tue, 2013-12-10 at 00:01 +0100, Dominick Grift wrote:
I don't know why pulseaudio is determined to run with the system_r role but i suspect it may be started by the dbus system bus? (in other distros, and refpolicy pulseaudio just runs with the user role)
It is actually just a role transition rule that tells selinux to role transition from unconfined_r to system_r on pulseaudio_exec_t.
$ sesearch --role_trans -t pulseaudio_exec_t Found 1 role_transition rules: role_transition unconfined_r pulseaudio_exec_t system_r;
I do not know why it was decided to do this. I think we should get rid of that if possible
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/10/2013 07:58 AM, Dominick Grift wrote:
On Tue, 2013-12-10 at 00:01 +0100, Dominick Grift wrote:
I don't know why pulseaudio is determined to run with the system_r role but i suspect it may be started by the dbus system bus? (in other distros, and refpolicy pulseaudio just runs with the user role)
It is actually just a role transition rule that tells selinux to role transition from unconfined_r to system_r on pulseaudio_exec_t.
$ sesearch --role_trans -t pulseaudio_exec_t Found 1 role_transition rules: role_transition unconfined_r pulseaudio_exec_t system_r;
I do not know why it was decided to do this. I think we should get rid of that if possible
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I agree.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/08/2013 03:54 PM, fedorauser wrote:
Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the "remote" screen (which is attached via HDMI).
This problem only occurs within a sandboxed firefox (but not in "natively" run firefox).
Can this be fixed via a changing certain settings or is this a bug?
thanks!
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Could you see if you are getting AVCs?
ausearch -m avc -ts recent
On Tue, 2013-12-10 at 08:56 -0500, Daniel J Walsh wrote:
Could you see if you are getting AVCs?
ausearch -m avc -ts recent
firefox runs pulseaudio, but since there is role_transition from unconfined_r to system_r via pulseaudio_exec_t specified the following related avc denials/selinux_errs occur:
type=AVC msg=audit(1386626727.085:4005): avc: denied { transition } for pid=3064 comm="firefox" path="/usr/bin/pulseaudio" dev="dm-0" ino=2109429 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process type=SELINUX_ERR msg=audit(1386626727.085:4005): security_compute_sid: invalid context unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 for scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=process
If you allow the above with:
domain_system_change_exemption(sandbox_web_client_t) allow sandbox_web_client_t self:process transition; role system_r types sandbox_web_client_t;
Things still fail. Mainly due to:
type=AVC msg=audit(1386626727.097:4007): avc: denied { setcap } for pid=3064 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
If you allow the above with:
allow sandbox_web_client_t self:process setcap;
Then things start to work slowly. But this will expose the usual pulseadio related event like for example:
type=AVC msg=audit(1386626727.119:4010): avc: denied { signull } for pid=3068 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
Which you can allow with:
application_signull(sandbox_web_client_t)
In refpolicy we added a pulseaudio_client type attribute that allows pulseaudio_clients to send null signals to eachother amongst other things. This enables us to narrow the null signals down a bit However i have not yet created an interface that associates caller with this type attribute. Instead it is only associated to pulseaudio_t
Finally one needs to deal with the pulseaudio ipc:
type=AVC msg=audit(1386630028.070:4182): avc: denied { read } for pid=933 comm="plugin-containe" name="pulse-shm-714554573" dev="tmpfs" ino=56617860 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 tcontext=unconfined_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file
In refpolicy we deal with this by associating the pulseaudio_tmpfsfile type attribute to pulse audit tmpfs related file types. There is an interface in refpolicy that can be used for this:
######################################## ## <summary> ## Make the specified tmpfs file type ## pulseaudio tmpfs content. ## </summary> ## <param name="file_type"> ## <summary> ## File type to make pulseaudio tmpfs content. ## </summary> ## </param> # interface(`pulseaudio_tmpfs_content',` gen_require(` attribute pulseaudio_tmpfsfile; ')
typeattribute $1 pulseaudio_tmpfsfile; ')
That will allow all "pulseaudio_client" to read, delete etc all pulseaudio_tmpfiles
I do not know why you decided to add a role transtion from unconfined_r to system_r via pulseaudio_t. I suspect it may have to do with the fact that pulseaudio can also be configured as a system service and that this caused to you to add the role transition since else you would get into conflict with the init_run_daemon(unconfined_t)
In refpolicy we currently do not support pulseaudio as a system service, But if we do then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we avoid conflict with roles and such
On Tue, 2013-12-10 at 15:37 +0100, Dominick Grift wrote:
In refpolicy we currently do not support pulseaudio as a system service, But if we do then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we avoid conflict with roles and such
That's not going to work either. direct_initrc and init_run_daemon() are just problematic. fortunately for Fedora you have systemd now
On 12/10/2013 03:37 PM, Dominick Grift wrote:
On Tue, 2013-12-10 at 08:56 -0500, Daniel J Walsh wrote:
Could you see if you are getting AVCs?
ausearch -m avc -ts recent
firefox runs pulseaudio, but since there is role_transition from unconfined_r to system_r via pulseaudio_exec_t specified the following related avc denials/selinux_errs occur:
type=AVC msg=audit(1386626727.085:4005): avc: denied { transition } for pid=3064 comm="firefox" path="/usr/bin/pulseaudio" dev="dm-0" ino=2109429 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process type=SELINUX_ERR msg=audit(1386626727.085:4005): security_compute_sid: invalid context unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 for scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=process
If you allow the above with:
domain_system_change_exemption(sandbox_web_client_t) allow sandbox_web_client_t self:process transition; role system_r types sandbox_web_client_t;
Things still fail. Mainly due to:
type=AVC msg=audit(1386626727.097:4007): avc: denied { setcap } for pid=3064 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
If you allow the above with:
allow sandbox_web_client_t self:process setcap;
Then things start to work slowly. But this will expose the usual pulseadio related event like for example:
type=AVC msg=audit(1386626727.119:4010): avc: denied { signull } for pid=3068 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
Which you can allow with:
application_signull(sandbox_web_client_t)
In refpolicy we added a pulseaudio_client type attribute that allows pulseaudio_clients to send null signals to eachother amongst other things. This enables us to narrow the null signals down a bit However i have not yet created an interface that associates caller with this type attribute. Instead it is only associated to pulseaudio_t
Finally one needs to deal with the pulseaudio ipc:
type=AVC msg=audit(1386630028.070:4182): avc: denied { read } for pid=933 comm="plugin-containe" name="pulse-shm-714554573" dev="tmpfs" ino=56617860 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 tcontext=unconfined_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file
In refpolicy we deal with this by associating the pulseaudio_tmpfsfile type attribute to pulse audit tmpfs related file types. There is an interface in refpolicy that can be used for this:
######################################## ## <summary> ## Make the specified tmpfs file type ## pulseaudio tmpfs content. ## </summary> ## <param name="file_type"> ## <summary> ## File type to make pulseaudio tmpfs content. ## </summary> ## </param> # interface(`pulseaudio_tmpfs_content',` gen_require(` attribute pulseaudio_tmpfsfile; ')
typeattribute $1 pulseaudio_tmpfsfile; ')
That will allow all "pulseaudio_client" to read, delete etc all pulseaudio_tmpfiles
I do not know why you decided to add a role transtion from unconfined_r to system_r via pulseaudio_t. I suspect it may have to do with the fact that pulseaudio can also be configured as a system service and that this caused to you to add the role transition since else you would get into conflict with the init_run_daemon(unconfined_t)
In refpolicy we currently do not support pulseaudio as a system service, But if we do then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we avoid conflict with roles and such
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
OK, I see it also on F20. Will check it. Also we merged most of pulseaudio changes from refpolicy in rawhide.
On Fri, 2013-12-13 at 09:35 +0100, Miroslav Grepl wrote:
OK, I see it also on F20. Will check it. Also we merged most of pulseaudio changes from refpolicy in rawhide.
The suspected proper fix for this system_r issue is posted to the refpolicy maillist: RFC: direct_init_entry breaks direct_initrc
Its a bug in the init module
So basically, I just have to wait for the update that is going to fix it for me?
Or do you still need any AVCs from my side?
-------------------------------------------------
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On 12/19/2013 07:37 PM, fedorauser wrote:
So basically, I just have to wait for the update that is going to fix it for me?
Or do you still need any AVCs from my side?
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Basically I see it also but could you open a new bug? It is my TODO for these days.
Thank you.
Regards, Miroslav
On 01/07/2014 08:42 AM, Miroslav Grepl wrote:
On 12/19/2013 07:37 PM, fedorauser wrote:
So basically, I just have to wait for the update that is going to fix it for me?
Or do you still need any AVCs from my side?
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Basically I see it also but could you open a new bug? It is my TODO for these days.
Thank you.
Regards, Miroslav -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I am just playing with a fix for this issue.
On 12/19/2013 07:37 PM, fedorauser wrote:
So basically, I just have to wait for the update that is going to fix it for me?
Or do you still need any AVCs from my side?
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Any chance to re-test it with
selinux@lists.fedoraproject.org