sound within sandbox_web_t type and permissive type sandbox_web_client_t

Daniel J Walsh dwalsh at redhat.com
Mon Jun 21 14:47:38 UTC 2010 

On 06/21/2010 06:42 AM, Christoph A. wrote:
> Hi,
>
> I can remember that while using F12 I had sound within sandbox_web_t
> running firefox. Since I'm using F13 sound within the sandbox
> disappeared and while running a sandbox I constantly (every 20 seconds)
> get abrt notifications that pulsaudio crashed.
>
> pulseaudio version:
> pulseaudio-0.9.21-6.fc13
>
>
> audit.log contains following lines:
> type=ANOM_ABEND msg=audit(1277115690.389:210): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c633,c897
> pid=5913 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115695.613:211): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c633,c897
> pid=5924 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115700.998:212): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c633,c897
> pid=5936 comm="pulseaudio" sig=6
> type=ANOM_ABEND msg=audit(1277115706.240:213): auid=500 uid=500 gid=500
> ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c633,c897
> pid=5947 comm="pulseaudio" sig=6
> [...]
>
> Is someone experiencing the same problem?
> If needed I can add the pulseaudio abrt backtrace.
>
>
> My second question also regarding sandboxes:
>
> This is an AVC I frequently come across:
> type=AVC msg=audit(1277029467.183:2147): avc: denied { read write } for
> pid=3038 comm="gvfs-fuse-daemo" name="fuse" dev=devtmpfs ino=9048
> scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c503,c936
> tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file
>
> The troubleshooter tells me that this type is running in permissive
> mode. Is this supposed to be like that (default) or is this a
> misconfiguration on my side?
>
> [gvfs-fuse-daemo has a permissive type (sandbox_web_client_t). This
> access was not denied.]
>
> kind regards,
> Christoph
No the setroubleshooter is wrong.  What it should be telling you is that 
the syscall that generated the AVC did not get denied.  The tool 
mistakenly sees this and assumes that the process was permissive.  We 
need to fix setroubleshoot to check the permissive flag in policy if the 
success=yes flag is set.

There is a bug report open on sound not working in F13 when run under 
sandbox.  It seems to work on F14.

Miroslav is working on this problem.
>
>
>
>
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list