2:54 p.m.
Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the
"remote" screen (which is attached via HDMI).
This problem only occurs within a sandboxed firefox (but not in
"natively" run firefox).
Can this be fixed via a changing certain settings or is this a bug?
thanks!
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's
hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
8:50 a.m.
On Sun, 2013-12-08 at 20:54 +0000, fedorauser wrote:
Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the
"remote" screen (which is attached via HDMI).
Does it work with SELinux is permissive mode? (just a test)
I am not so familiar with sandbox but the technology has at least two
elements to consider.
1. the SELinux policy: difficulties with policy are usually easy to fix
2. mount name spaces: issues with regard to this are probably harder to
solve.
By determining whether it works in permissive mode you might be able
quickly rule out an issue with 1.
I can speculate but that's probably not so constructive.
A simple explanation of the mount name space is that sandbox has its own
vie of the home directory. So it might not aware (see) of the pulse
audio socket. So it might not be able to use the sound server, which
might be needed for the hdmi-audio functionality
That is speculation at this point though
11:42 a.m.
On Sun, 08 Dec 2013 20:54:28 +0000
fedorauser <fedorauser(a)vfemail.net> wrote:
Hi,
I'm running my firefox in a SELinux sandbox, but have the following problem:
Sound will always play via the integrated speakers but never on the
"remote" screen (which is attached via HDMI).
This problem only occurs within a sandboxed firefox (but not in
"natively" run firefox).
Can this be fixed via a changing certain settings or is this a bug?
thanks!
Try to include ~/.pulse into sandboxed directory.
--
Fl@sh
1:28 p.m.
It doesn't seem to work in permissive mode either.
There is no ~/.pulse in my home.
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's
hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
5:01 p.m.
On Mon, 2013-12-09 at 19:28 +0000, fedorauser wrote:
It doesn't seem to work in permissive mode either.
There is no ~/.pulse in my home.
I've been playing with this a bit and this quick and dirty hack "fixed" it
for me:
cat > mysand.te <<EOF
policy_module(mysand, 1.0.0)
gen_require(`
type sandbox_web_client_t;
')
allow sandbox_web_client_t self:process setcap;
application_signull(sandbox_web_client_t)
domain_role_change_exemption(sandbox_web_client_t)
domain_system_change_exemption(sandbox_web_client_t)
allow sandbox_web_client_t self:process transition;
role system_r types sandbox_web_client_t;
EOF
make -f /usr/share/selinux/devel/Makefile mysand.pp
sudo semodule -i mysand.pp
Couple comments: not sure if the
"domain_role_change_exemption(sandbox_web_client_t)" is actually needed, but i
guess it would make sense if it does
I don't know why pulseaudio is determined to run with the system_r role but i suspect
it may be started by the dbus system bus? (in other distros, and refpolicy pulseaudio just
runs with the user role)
This is just a dirty hack
You might want to create a different sandbox with this functionality instead of extending
the existing sandbox_web_client_t one like it did in my example
To see how you can create custom sandbox policies:
https://www.youtube.com/watch?v=0PaNlkjXrWk
Make sure to restart your sandbox after you loaded this policy
5:19 p.m.
On Tue, 2013-12-10 at 00:01 +0100, Dominick Grift wrote:
On Mon, 2013-12-09 at 19:28 +0000, fedorauser wrote:
> It doesn't seem to work in permissive mode either.
>
> There is no ~/.pulse in my home.
>
I've been playing with this a bit and this quick and dirty hack "fixed" it
for me:
Ive recorded my "tinkering" session for references purposes i guess:
https://www.youtube.com/watch?v=RmfjinMJ-ns
Again, this is really not a good solution. Instead we should figure out
why pulseaudio is determined to role change to system_r, and deal with
that
6:58 a.m.
On Tue, 2013-12-10 at 00:01 +0100, Dominick Grift wrote:
I don't know why pulseaudio is determined to run with the system_r role but i suspect
it may be started by the dbus system bus? (in other distros, and refpolicy pulseaudio just
runs with the user role)
It is actually just a role transition rule that tells selinux to role
transition from unconfined_r to system_r on pulseaudio_exec_t.
$ sesearch --role_trans -t pulseaudio_exec_t
Found 1 role_transition rules:
role_transition unconfined_r pulseaudio_exec_t system_r;
I do not know why it was decided to do this. I think we should get rid
of that if possible
8:20 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/10/2013 07:58 AM, Dominick Grift wrote:
On Tue, 2013-12-10 at 00:01 +0100, Dominick Grift wrote:
>
> I don't know why pulseaudio is determined to run with the system_r role
> but i suspect it may be started by the dbus system bus? (in other
> distros, and refpolicy pulseaudio just runs with the user role)
It is actually just a role transition rule that tells selinux to role
transition from unconfined_r to system_r on pulseaudio_exec_t.
> $ sesearch --role_trans -t pulseaudio_exec_t Found 1 role_transition
> rules: role_transition unconfined_r pulseaudio_exec_t system_r;
>
I do not know why it was decided to do this. I think we should get rid of
that if possible
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I agree.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKnIyEACgkQrlYvE4MpobMV+gCcCUCfnxzqlNJyJMBOayZCVpBf
17sAoOOnAJnDPAp7FtAE3lAqZcmY6EUH
=zvQK
-----END PGP SIGNATURE-----
7:56 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/08/2013 03:54 PM, fedorauser wrote:
Hi,
I'm running my firefox in a SELinux sandbox, but have the following
problem:
Sound will always play via the integrated speakers but never on the
"remote" screen (which is attached via HDMI).
This problem only occurs within a sandboxed firefox (but not in "natively"
run firefox).
Can this be fixed via a changing certain settings or is this a bug?
thanks!
-------------------------------------------------
VFEmail.net - http://www.vfemail.net ONLY AT VFEmail! - Use our Metadata
Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME
Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options! -- selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Could you see if you are getting AVCs?
ausearch -m avc -ts recent
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKnHYoACgkQrlYvE4MpobNJrQCdEVmKf2ALADa/PNuIc0oLvrSv
4MEAnRLTV9owgSpo+aObrAIlN5srvhOQ
=VUUy
-----END PGP SIGNATURE-----
8:37 a.m.
On Tue, 2013-12-10 at 08:56 -0500, Daniel J Walsh wrote:
>
Could you see if you are getting AVCs?
ausearch -m avc -ts recent
firefox runs pulseaudio, but since there is role_transition from
unconfined_r to system_r via pulseaudio_exec_t specified the following
related avc denials/selinux_errs occur:
type=AVC msg=audit(1386626727.085:4005): avc: denied { transition }
for pid=3064 comm="firefox" path="/usr/bin/pulseaudio"
dev="dm-0" ino=2109429
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377
tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
type=SELINUX_ERR msg=audit(1386626727.085:4005): security_compute_sid: invalid context
unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 for
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377
tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=process
If you allow the above with:
domain_system_change_exemption(sandbox_web_client_t)
allow sandbox_web_client_t self:process transition;
role system_r types sandbox_web_client_t;
Things still fail. Mainly due to:
type=AVC msg=audit(1386626727.097:4007): avc: denied { setcap } for
pid=3064 comm="pulseaudio"
scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377
tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
If you allow the above with:
allow sandbox_web_client_t self:process setcap;
Then things start to work slowly. But this will expose the usual
pulseadio related event like for example:
type=AVC msg=audit(1386626727.119:4010): avc: denied { signull }
for pid=3068 comm="pulseaudio"
scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377
tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
Which you can allow with:
application_signull(sandbox_web_client_t)
In refpolicy we added a pulseaudio_client type attribute that allows pulseaudio_clients to
send null signals to eachother amongst other things. This enables us to narrow the null
signals down a bit
However i have not yet created an interface that associates caller with this type
attribute. Instead it is only associated to pulseaudio_t
Finally one needs to deal with the pulseaudio ipc:
type=AVC msg=audit(1386630028.070:4182): avc: denied { read } for
pid=933 comm="plugin-containe" name="pulse-shm-714554573"
dev="tmpfs" ino=56617860
scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
0.c1023 tcontext=unconfined_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file
In refpolicy we deal with this by associating the pulseaudio_tmpfsfile type attribute to
pulse audit tmpfs related file types. There is an interface in refpolicy that can be used
for this:
########################################
## <summary>
## Make the specified tmpfs file type
## pulseaudio tmpfs content.
## </summary>
## <param name="file_type">
## <summary>
## File type to make pulseaudio tmpfs content.
## </summary>
## </param>
#
interface(`pulseaudio_tmpfs_content',`
gen_require(`
attribute pulseaudio_tmpfsfile;
')
typeattribute $1 pulseaudio_tmpfsfile;
')
That will allow all "pulseaudio_client" to read, delete etc all
pulseaudio_tmpfiles
I do not know why you decided to add a role transtion from unconfined_r to system_r via
pulseaudio_t. I suspect it may have to do with the fact that pulseaudio can also be
configured as a system service and that this
caused to you to add the role transition since else you would get into conflict with the
init_run_daemon(unconfined_t)
In refpolicy we currently do not support pulseaudio as a system service, But if we do then
we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we avoid
conflict with roles and such
8:51 a.m.
On Tue, 2013-12-10 at 15:37 +0100, Dominick Grift wrote:
In refpolicy we currently do not support pulseaudio as a system service, But if we do
then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we
avoid conflict with roles and such
That's not going to work either. direct_initrc and init_run_daemon() are
just problematic. fortunately for Fedora you have systemd now
2:35 a.m.
On 12/10/2013 03:37 PM, Dominick Grift wrote:
On Tue, 2013-12-10 at 08:56 -0500, Daniel J Walsh wrote:
> Could you see if you are getting AVCs?
>
> ausearch -m avc -ts recent
>
firefox runs pulseaudio, but since there is role_transition from
unconfined_r to system_r via pulseaudio_exec_t specified the following
related avc denials/selinux_errs occur:
> type=AVC msg=audit(1386626727.085:4005): avc: denied { transition } for pid=3064
comm="firefox" path="/usr/bin/pulseaudio" dev="dm-0"
ino=2109429 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377
tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
> type=SELINUX_ERR msg=audit(1386626727.085:4005): security_compute_sid: invalid
context unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 for
scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377
tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=process
If you allow the above with:
> domain_system_change_exemption(sandbox_web_client_t)
> allow sandbox_web_client_t self:process transition;
> role system_r types sandbox_web_client_t;
Things still fail. Mainly due to:
> type=AVC msg=audit(1386626727.097:4007): avc: denied { setcap } for pid=3064
comm="pulseaudio"
scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377
tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
If you allow the above with:
> allow sandbox_web_client_t self:process setcap;
Then things start to work slowly. But this will expose the usual
pulseadio related event like for example:
> type=AVC msg=audit(1386626727.119:4010): avc: denied { signull } for pid=3068
comm="pulseaudio"
scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377
tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
Which you can allow with:
application_signull(sandbox_web_client_t)
In refpolicy we added a pulseaudio_client type attribute that allows pulseaudio_clients
to send null signals to eachother amongst other things. This enables us to narrow the null
signals down a bit
However i have not yet created an interface that associates caller with this type
attribute. Instead it is only associated to pulseaudio_t
Finally one needs to deal with the pulseaudio ipc:
> type=AVC msg=audit(1386630028.070:4182): avc: denied { read } for pid=933
comm="plugin-containe" name="pulse-shm-714554573"
dev="tmpfs" ino=56617860
scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
> 0.c1023 tcontext=unconfined_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file
In refpolicy we deal with this by associating the pulseaudio_tmpfsfile type attribute to
pulse audit tmpfs related file types. There is an interface in refpolicy that can be used
for this:
> ########################################
> ## <summary>
> ## Make the specified tmpfs file type
> ## pulseaudio tmpfs content.
> ## </summary>
> ## <param name="file_type">
> ## <summary>
> ## File type to make pulseaudio tmpfs content.
> ## </summary>
> ## </param>
> #
> interface(`pulseaudio_tmpfs_content',`
> gen_require(`
> attribute pulseaudio_tmpfsfile;
> ')
>
> typeattribute $1 pulseaudio_tmpfsfile;
> ')
That will allow all "pulseaudio_client" to read, delete etc all
pulseaudio_tmpfiles
I do not know why you decided to add a role transtion from unconfined_r to system_r via
pulseaudio_t. I suspect it may have to do with the fact that pulseaudio can also be
configured as a system service and that this
caused to you to add the role transition since else you would get into conflict with the
init_run_daemon(unconfined_t)
In refpolicy we currently do not support pulseaudio as a system service, But if we do
then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we
avoid conflict with roles and such
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
OK, I see it also on F20.
Will check it. Also we merged most of
pulseaudio changes from refpolicy in rawhide.
5:42 a.m.
On Fri, 2013-12-13 at 09:35 +0100, Miroslav Grepl wrote:
OK, I see it also on F20. Will check it. Also we merged most of
pulseaudio changes from refpolicy in rawhide.
The suspected proper fix for this system_r issue is posted to the
refpolicy maillist: RFC: direct_init_entry breaks direct_initrc
Its a bug in the init module
12:37 p.m.
So basically, I just have to wait for the update that is going to fix it
for me?
Or do you still need any AVCs from my side?
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's
hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
1:42 a.m.
On 12/19/2013 07:37 PM, fedorauser wrote:
So basically, I just have to wait for the update that is going to fix
it
for me?
Or do you still need any AVCs from my side?
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's
hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Basically I see it also
but could you open a new bug? It is my TODO for
these days.
Thank you.
Regards,
Miroslav
5:28 a.m.
On 01/07/2014 08:42 AM, Miroslav Grepl wrote:
On 12/19/2013 07:37 PM, fedorauser wrote:
> So basically, I just have to wait for the update that is going to fix it
> for me?
>
> Or do you still need any AVCs from my side?
>
> -------------------------------------------------
>
> VFEmail.net - http://www.vfemail.net
> ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out
> of the NSA's hands!
> $24.95 ONETIME Lifetime accounts with Privacy Features!
> 15GB disk! No bandwidth quotas!
> Commercial and Bulk Mail Options!
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Basically I see it also but could you open a new bug? It is my TODO
for these days.
Thank you.
Regards,
Miroslav
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I am just playing with a
fix for this issue.
9:09 a.m.
On 12/19/2013 07:37 PM, fedorauser wrote:
So basically, I just have to wait for the update that is going to fix
it
for me?
Or do you still need any AVCs from my side?
-------------------------------------------------
VFEmail.net - http://www.vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's
hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Any chance to re-test it
with
http://koji.fedoraproject.org/koji/taskinfo?taskID=6369182
3762
days inactive
3792
days old
selinux@lists.fedoraproject.org
16 comments
5 participants
participants (5)
-
Daniel J Walsh -
Dominick Grift -
fedorauser -
Fl@sh -
Miroslav Grepl