pulseaudio, policykit - works in permissive, fails in enforcing

Tom London selinux at gmail.com
Mon Dec 3 23:22:00 UTC 2007 

On Dec 3, 2007 11:20 AM, Tom London <selinux at gmail.com> wrote:
> Running latest Rawhide.
>
> I've noticed the following problem that I cannot track down fully.
>
> Pulseaudio seems to have stopped working when in enforcing mode,
> unless I manually change the permissions to the numerous /dev/ files
> to 666 (e.g., /dev/*dsp*, /dev/audio* /dev/snd/*, ....)
>
> I get no AVCs.  Below are snippets from /var/log/messages.
>
> My (simpleminded) interpretation is that in permissive mode, policykit
> is running but not when in enforcing.
>
> Any suggestions on how to track this down further?
>
> tom
>
> Permissive:
>
> Dec  3 09:48:10 localhost pulseaudio[2947]: polkit.c: Failed to show
> grant dialog: Unable to lookup exe for caller
> Dec  3 09:48:10 localhost pulseaudio[2947]: polkit.c: PolicyKit
> responded with 'auth_admin_keep_always'
> Dec  3 09:48:10 localhost pulseaudio[2947]: pid.c: Stale PID file, overwriting.
> Dec  3 09:48:10 localhost pulseaudio[2947]: main.c:
> setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> Dec  3 09:48:12 localhost pulseaudio[2947]: module.c: Failed to load
> module "module-rtp-recv" (argument: ""): initialization failed.
> Dec  3 09:48:12 localhost pulseaudio[2947]: module-gconf.c:
> pa_module_load() failed
>
>
>
> Enforcing:
>
> Dec  3 10:59:27 localhost pulseaudio[3995]: pid.c: Stale PID file, overwriting.
> Dec  3 10:59:27 localhost pulseaudio[3995]: main.c:
> setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
> Dec  3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
> PCM device hw:0: No such device
> Dec  3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
> module "module-alsa-sink" (argument: "device_id=0
> sink_name=alsa_output.pci_8086_27d8_alsa_playback_0"): initialization
> failed.
> Dec  3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
> PCM device hw:0: No such device
> Dec  3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
> module "module-alsa-source" (argument: "device_id=0
> source_name=alsa_input.pci_8086_27d8_alsa_capture_0"): initialization
> failed.
> Dec  3 10:59:29 localhost pulseaudio[3995]: module.c: Failed to load
> module "module-rtp-recv" (argument: ""): initialization failed.
> Dec  3 10:59:29 localhost pulseaudio[3995]: module-gconf.c:
> pa_module_load() failed
>

I ran 'semodule -DB' and rebooted in enforcing mode.  I attach below
the complete list of AVCs from /var/log/audit/audit.log.

Eliminating some of the obvious ones (e.g., from NetworkManager, etc.)
leaves the 'allows' below.  Do any of them seem likely?

#============= avahi_t ==============
allow avahi_t init_t:fd use;

#============= consolekit_t ==============
allow consolekit_t NetworkManager_t:process ptrace;
allow consolekit_t init_t:fd use;
allow consolekit_t xdm_t:process ptrace;

#============= hald_t ==============
allow hald_t cupsd_config_t:process { siginh rlimitinh noatsecure };
allow hald_t dmidecode_t:process { siginh rlimitinh noatsecure };
allow hald_t hald_acl_t:process { siginh rlimitinh noatsecure };
allow hald_t init_t:fd use;
allow hald_t udev_t:process { siginh rlimitinh noatsecure };

#============= insmod_t ==============
allow insmod_t tty_device_t:chr_file { read write };
allow insmod_t xdm_t:fd use;
allow insmod_t xdm_xserver_t:tcp_socket { read write };
allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
allow insmod_t xserver_log_t:file write;

#============= pam_t ==============
allow pam_t xdm_t:fd use;

#============= setrans_t ==============
allow setrans_t init_t:fd use;
allow setrans_t security_t:filesystem getattr;

#============= setroubleshootd_t ==============
allow setroubleshootd_t init_t:fd use;
allow setroubleshootd_t rpm_var_lib_t:dir write;

#============= system_chkpwd_t ==============
allow system_chkpwd_t security_t:dir search;
allow system_chkpwd_t security_t:filesystem getattr;

#============= system_dbusd_t ==============
allow system_dbusd_t NetworkManager_t:process { siginh rlimitinh noatsecure };

#============= udev_t ==============
allow udev_t pam_console_t:process { siginh rlimitinh noatsecure };

#============= updpwd_t ==============
allow updpwd_t security_t:dir search;
allow updpwd_t security_t:filesystem getattr;
allow updpwd_t selinux_config_t:dir search;

#============= xdm_t ==============
allow xdm_t pam_console_t:process { siginh rlimitinh noatsecure };
allow xdm_t system_chkpwd_t:process { siginh rlimitinh noatsecure };
allow xdm_t unconfined_t:process { siginh noatsecure };
allow xdm_t updpwd_t:process { siginh rlimitinh noatsecure };
allow xdm_t xdm_dbusd_t:process { siginh rlimitinh noatsecure };
allow xdm_t xdm_xserver_t:dir search;

#============= xdm_xserver_t ==============
allow xdm_xserver_t insmod_t:process { siginh rlimitinh noatsecure };
allow xdm_xserver_t security_t:dir search;
allow xdm_xserver_t security_t:filesystem getattr;
allow xdm_xserver_t selinux_config_t:dir search;


tom
-- 
Tom London

More information about the selinux mailing list