sound within sandboxed firefox

Fri Dec 13 08:35:12 UTC 2013

On 12/10/2013 03:37 PM, Dominick Grift wrote:
> On Tue, 2013-12-10 at 08:56 -0500, Daniel J Walsh wrote:
>
>> Could you see if you are getting AVCs?
>>
>> ausearch -m avc -ts recent
>>
> firefox runs pulseaudio, but since there is role_transition from
> unconfined_r to system_r via pulseaudio_exec_t specified the following
> related avc denials/selinux_errs occur:
>
>> type=AVC msg=audit(1386626727.085:4005): avc:  denied  { transition } for  pid=3064 comm="firefox" path="/usr/bin/pulseaudio" dev="dm-0" ino=2109429 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
>> type=SELINUX_ERR msg=audit(1386626727.085:4005): security_compute_sid:  invalid context unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 for scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=process
> If you allow the above with:
>
>> domain_system_change_exemption(sandbox_web_client_t)
>> allow sandbox_web_client_t self:process transition;
>> role system_r types sandbox_web_client_t;
> Things still fail. Mainly due to:
>
>> type=AVC msg=audit(1386626727.097:4007): avc:  denied  { setcap } for  pid=3064 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
> If you allow the above with:
>
>> allow sandbox_web_client_t self:process setcap;
> Then things start to work slowly. But this will expose the usual
> pulseadio related event like for example:
>
>> type=AVC msg=audit(1386626727.119:4010): avc:  denied  { signull } for  pid=3068 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
> Which you can allow with:
>
> application_signull(sandbox_web_client_t)
>
> In refpolicy we added a pulseaudio_client type attribute that allows pulseaudio_clients to send null signals to eachother amongst other things. This enables us to narrow the null signals down a bit
> However i have not yet created an interface that associates caller with this type attribute. Instead it is only associated to pulseaudio_t
>
> Finally one needs to deal with the pulseaudio ipc:
>
>> type=AVC msg=audit(1386630028.070:4182): avc:  denied  { read } for  pid=933 comm="plugin-containe" name="pulse-shm-714554573" dev="tmpfs" ino=56617860 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
>> 0.c1023 tcontext=unconfined_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file
> In refpolicy we deal with this by associating the pulseaudio_tmpfsfile type attribute to pulse audit tmpfs related file types. There is an interface in refpolicy that can be used for this:
>
>> ########################################
>> ## <summary>
>> ##	Make the specified tmpfs file type
>> ##	pulseaudio tmpfs content.
>> ## </summary>
>> ## <param name="file_type">
>> ##	<summary>
>> ##	File type to make pulseaudio tmpfs content.
>> ##	</summary>
>> ## </param>
>> #
>> interface(`pulseaudio_tmpfs_content',`
>> 	gen_require(`
>> 		attribute pulseaudio_tmpfsfile;
>> 	')
>>
>> 	typeattribute $1 pulseaudio_tmpfsfile;
>> ')
> That will allow all "pulseaudio_client" to read, delete etc all pulseaudio_tmpfiles
>
>
> I do not know why you decided to add a role transtion from unconfined_r to system_r via pulseaudio_t. I suspect it may have to do with the fact that pulseaudio can also be configured as a system service and that this
> caused to you to add the role transition since else you would get into conflict with the init_run_daemon(unconfined_t)
>
> In refpolicy we currently do not support pulseaudio as a system service, But if we do then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we avoid conflict with roles and such
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
OK, I see it also on F20. Will check it. Also we merged most of 
pulseaudio changes from refpolicy in rawhide.