pulseaudio, policykit - works in permissive, fails in enforcing
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
pulseaudio, policykit - works in permissive, fails in enforcing
by Tom London
::
Rate this Message:
Running latest Rawhide.
I've noticed the following problem that I cannot track down fully. Pulseaudio seems to have stopped working when in enforcing mode, unless I manually change the permissions to the numerous /dev/ files to 666 (e.g., /dev/*dsp*, /dev/audio* /dev/snd/*, ....) I get no AVCs. Below are snippets from /var/log/messages. My (simpleminded) interpretation is that in permissive mode, policykit is running but not when in enforcing. Any suggestions on how to track this down further? tom Permissive: Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: Failed to show grant dialog: Unable to lookup exe for caller Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: PolicyKit responded with 'auth_admin_keep_always' Dec 3 09:48:10 localhost pulseaudio[2947]: pid.c: Stale PID file, overwriting. Dec 3 09:48:10 localhost pulseaudio[2947]: main.c: setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted Dec 3 09:48:12 localhost pulseaudio[2947]: module.c: Failed to load module "module-rtp-recv" (argument: ""): initialization failed. Dec 3 09:48:12 localhost pulseaudio[2947]: module-gconf.c: pa_module_load() failed Enforcing: Dec 3 10:59:27 localhost pulseaudio[3995]: pid.c: Stale PID file, overwriting. Dec 3 10:59:27 localhost pulseaudio[3995]: main.c: setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening PCM device hw:0: No such device Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load module "module-alsa-sink" (argument: "device_id=0 sink_name=alsa_output.pci_8086_27d8_alsa_playback_0"): initialization failed. Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening PCM device hw:0: No such device Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load module "module-alsa-source" (argument: "device_id=0 source_name=alsa_input.pci_8086_27d8_alsa_capture_0"): initialization failed. Dec 3 10:59:29 localhost pulseaudio[3995]: module.c: Failed to load module "module-rtp-recv" (argument: ""): initialization failed. Dec 3 10:59:29 localhost pulseaudio[3995]: module-gconf.c: pa_module_load() failed -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: pulseaudio, policykit - works in permissive, fails in enforcing
by Tom London
::
Rate this Message:
On Dec 3, 2007 11:20 AM, Tom London <selinux@...> wrote:
> Running latest Rawhide. > > I've noticed the following problem that I cannot track down fully. > > Pulseaudio seems to have stopped working when in enforcing mode, > unless I manually change the permissions to the numerous /dev/ files > to 666 (e.g., /dev/*dsp*, /dev/audio* /dev/snd/*, ....) > > I get no AVCs. Below are snippets from /var/log/messages. > > My (simpleminded) interpretation is that in permissive mode, policykit > is running but not when in enforcing. > > Any suggestions on how to track this down further? > > tom > > Permissive: > > Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: Failed to show > grant dialog: Unable to lookup exe for caller > Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: PolicyKit > responded with 'auth_admin_keep_always' > Dec 3 09:48:10 localhost pulseaudio[2947]: pid.c: Stale PID file, overwriting. > Dec 3 09:48:10 localhost pulseaudio[2947]: main.c: > setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted > Dec 3 09:48:12 localhost pulseaudio[2947]: module.c: Failed to load > module "module-rtp-recv" (argument: ""): initialization failed. > Dec 3 09:48:12 localhost pulseaudio[2947]: module-gconf.c: > pa_module_load() failed > > > > Enforcing: > > Dec 3 10:59:27 localhost pulseaudio[3995]: pid.c: Stale PID file, overwriting. > Dec 3 10:59:27 localhost pulseaudio[3995]: main.c: > setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted > Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening > PCM device hw:0: No such device > Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load > module "module-alsa-sink" (argument: "device_id=0 > sink_name=alsa_output.pci_8086_27d8_alsa_playback_0"): initialization > failed. > Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening > PCM device hw:0: No such device > Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load > module "module-alsa-source" (argument: "device_id=0 > source_name=alsa_input.pci_8086_27d8_alsa_capture_0"): initialization > failed. > Dec 3 10:59:29 localhost pulseaudio[3995]: module.c: Failed to load > module "module-rtp-recv" (argument: ""): initialization failed. > Dec 3 10:59:29 localhost pulseaudio[3995]: module-gconf.c: > pa_module_load() failed > I ran 'semodule -DB' and rebooted in enforcing mode. I attach below the complete list of AVCs from /var/log/audit/audit.log. Eliminating some of the obvious ones (e.g., from NetworkManager, etc.) leaves the 'allows' below. Do any of them seem likely? #============= avahi_t ============== allow avahi_t init_t:fd use; #============= consolekit_t ============== allow consolekit_t NetworkManager_t:process ptrace; allow consolekit_t init_t:fd use; allow consolekit_t xdm_t:process ptrace; #============= hald_t ============== allow hald_t cupsd_config_t:process { siginh rlimitinh noatsecure }; allow hald_t dmidecode_t:process { siginh rlimitinh noatsecure }; allow hald_t hald_acl_t:process { siginh rlimitinh noatsecure }; allow hald_t init_t:fd use; allow hald_t udev_t:process { siginh rlimitinh noatsecure }; #============= insmod_t ============== allow insmod_t tty_device_t:chr_file { read write }; allow insmod_t xdm_t:fd use; allow insmod_t xdm_xserver_t:tcp_socket { read write }; allow insmod_t xdm_xserver_t:unix_stream_socket { read write }; allow insmod_t xserver_log_t:file write; #============= pam_t ============== allow pam_t xdm_t:fd use; #============= setrans_t ============== allow setrans_t init_t:fd use; allow setrans_t security_t:filesystem getattr; #============= setroubleshootd_t ============== allow setroubleshootd_t init_t:fd use; allow setroubleshootd_t rpm_var_lib_t:dir write; #============= system_chkpwd_t ============== allow system_chkpwd_t security_t:dir search; allow system_chkpwd_t security_t:filesystem getattr; #============= system_dbusd_t ============== allow system_dbusd_t NetworkManager_t:process { siginh rlimitinh noatsecure }; #============= udev_t ============== allow udev_t pam_console_t:process { siginh rlimitinh noatsecure }; #============= updpwd_t ============== allow updpwd_t security_t:dir search; allow updpwd_t security_t:filesystem getattr; allow updpwd_t selinux_config_t:dir search; #============= xdm_t ============== allow xdm_t pam_console_t:process { siginh rlimitinh noatsecure }; allow xdm_t system_chkpwd_t:process { siginh rlimitinh noatsecure }; allow xdm_t unconfined_t:process { siginh noatsecure }; allow xdm_t updpwd_t:process { siginh rlimitinh noatsecure }; allow xdm_t xdm_dbusd_t:process { siginh rlimitinh noatsecure }; allow xdm_t xdm_xserver_t:dir search; #============= xdm_xserver_t ============== allow xdm_xserver_t insmod_t:process { siginh rlimitinh noatsecure }; allow xdm_xserver_t security_t:dir search; allow xdm_xserver_t security_t:filesystem getattr; allow xdm_xserver_t selinux_config_t:dir search; tom -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
|
|
|
Re: pulseaudio, policykit - works in permissive, fails in enforcing
by Tom London
::
Rate this Message:
On Dec 3, 2007 3:54 PM, Tom London <selinux@...> wrote:
> > On Dec 3, 2007 3:50 PM, Tom London <selinux@...> wrote: > > Forgot to attach the AVCs...... > > > > Does this one look suspicious? > > > > type=AVC msg=audit(1196722543.811:703): avc: denied { search } for > > pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir > > type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5 > > success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715 > > pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" > > exe="/usr/libexec/ck-get-x11-display-device" > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > Attached compressed....sigh > type=AVC msg=audit(1196779565.801:132): avc: denied { search } for pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1196779565.801:132): avc: denied { read } for pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5 success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" exe="/usr/libexec/ck-get-x11-display-device" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0 ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" exe="/usr/libexec/ck-get-x11-display-device" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) So, I did a 'audit2allow -M localpulse2' on the above. Here is the .te file: module localpulse2 1.0; require { type xdm_xserver_t; type xdm_t; class dir search; class file { read getattr }; } #============= xdm_t ============== allow xdm_t xdm_xserver_t:dir search; allow xdm_t xdm_xserver_t:file { read getattr }; 'semodule -i localpulse2.pp' makes pulseaudio work. Should this be added? tom -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: pulseaudio, policykit - works in permissive, fails in enforcing
by Daniel J Walsh
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Tom London wrote: > On Dec 3, 2007 3:54 PM, Tom London <selinux@...> wrote: >> On Dec 3, 2007 3:50 PM, Tom London <selinux@...> wrote: >>> Forgot to attach the AVCs...... >>> >>> Does this one look suspicious? >>> >>> type=AVC msg=audit(1196722543.811:703): avc: denied { search } for >>> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484 >>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 >>> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir >>> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5 >>> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715 >>> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" >>> exe="/usr/libexec/ck-get-x11-display-device" >>> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) >>> >> Attached compressed....sigh >> > Reran the above in permissive mode. This seemed suspicious: > > type=AVC msg=audit(1196779565.801:132): avc: denied { search } for > pid=2614 comm="ck-get-x11-disp" name="2587" dev=proc ino=9642 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir > type=AVC msg=audit(1196779565.801:132): avc: denied { read } for > pid=2614 comm="ck-get-x11-disp" name="stat" dev=proc ino=9861 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file > type=SYSCALL msg=audit(1196779565.801:132): arch=40000003 syscall=5 > success=yes exit=4 a0=8d27418 a1=8000 a2=0 a3=8000 items=0 ppid=2585 > pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" > exe="/usr/libexec/ck-get-x11-display-device" > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1196779565.802:133): avc: denied { getattr } for > pid=2614 comm="ck-get-x11-disp" path="/proc/2587/stat" dev=proc > ino=9861 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=file > type=SYSCALL msg=audit(1196779565.802:133): arch=40000003 syscall=197 > success=yes exit=0 a0=4 a1=bff4cfc8 a2=bdcff4 a3=8d27418 items=0 > ppid=2585 pid=2614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp" > exe="/usr/libexec/ck-get-x11-display-device" > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > So, I did a 'audit2allow -M localpulse2' on the above. > > Here is the .te file: > > module localpulse2 1.0; > > require { > type xdm_xserver_t; > type xdm_t; > class dir search; > class file { read getattr }; > } > > #============= xdm_t ============== > allow xdm_t xdm_xserver_t:dir search; > allow xdm_t xdm_xserver_t:file { read getattr }; > > 'semodule -i localpulse2.pp' makes pulseaudio work. > > Should this be added? > > tom BTW: a handy tool to see what consolekit thinks of you is > ck-list-sessions Session2: uid = '3267' realname = 'Daniel J Walsh,,978-392-3130,508-485-6146' seat = 'Seat1' session-type = '' active = TRUE x11-display = ':0' x11-display-device = '/dev/tty7' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2007-12-04T18:46:05Z' If it does not show active, then consolekit thinks you are not on the console and will not change the permissions on the devices. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHVtD7rlYvE4MpobMRAhu3AJoDabDb46sprRHbhG1hyszuxe3ivACgh/Fu 9g6WxQLmLHKd/50xwZh5tRg= =em8+ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
logDB.txt.gz (12K) | Free embeddable forum powered by Nabble | Forum Help |
