Bug 2215499

Summary: No more audio in SELinux sandbox applications
Product: [Fedora] Fedora Reporter: Timo Trinks <ttrinks>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Regression, SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-22 14:07:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Timo Trinks 2023-06-16 08:41:15 UTC 
Hi!

As of Fedora 38 running applications via SELinux "sandbox" does not support audio anymore. For example, attempting to run 'mpg123' in a sandboxed xterm now fails with a

<snip>

[src/libout123/modules/alsa.c:open_alsa():181] error: cannot open device default
[src/libout123/libout123.c:check_output_module():947] error: Module 'alsa' device open failed.
[src/libout123/libout123.c:out123_open():439] error: Found no driver out of [alsa] working with device <default>.
main: [src/mpg123.c:check_fatal_output():334] error: out123 error 3: failure loading driver module

<snap>

It appears that "sandbox" is not permitted to sufficiently communicate with dbus anymore, as the following log is observed when executing applications (such as mpg123 or firefox) via sandbox:

<snip>

Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1.
Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1.

<snap>

The sandboxed applications are invoked via "sandbox -X -t sandbox_net_t -t sandbox_web_t <command>".

The observed issue is consistent with other reports in the community such as "SElinux sandboxed firefox has no audio playback in Fedora 38" [1] or "SELinux sandboxed firefox has no audio" [2].

Cheers,

Timo

[1] https://www.reddit.com/r/Fedora/comments/13ftmpk/selinux_sandboxed_firefox_has_no_audio_playback/
[2] https://unix.stackexchange.com/questions/747029/selinux-sandboxed-firefox-has-no-audio

Reproducible: Always

Steps to Reproduce:
1. Open a terminal.
2. Run "sandbox -X -t sandbox_net_t -t sandbox_web_t xterm" and run "mpg123 file.mp3" within Sandbox, OR
2.1 Run "sandbox -X -t sandbox_net_t -t sandbox_web_t firefox" and open a Youtube video.
Actual Results:  
No sound.

Errors observed:

<snip>

[src/libout123/modules/alsa.c:open_alsa():181] error: cannot open device default
[src/libout123/libout123.c:check_output_module():947] error: Module 'alsa' device open failed.
[src/libout123/libout123.c:out123_open():439] error: Found no driver out of [alsa] working with device <default>.
main: [src/mpg123.c:check_fatal_output():334] error: out123 error 3: failure loading driver module

<snap>

It appears that "sandbox" is not permitted to sufficiently communicate with dbus anymore, as the following log is observed when executing applications (such as mpg123 or firefox) via sandbox:

<snip>

Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1.
Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1.

<snap>

Expected Results:  
SELinux sandboxed applications able to communicate with audio device (i.e. appropriate dbus permissions).
Comment 1 Zdenek Pytela 2023-06-16 09:59:02 UTC 
Timo,

We hardly ever remove existing permissions in selinux-policy. Can you track down on which system the same scenario was working, e.g. F37, and if it was dependent on some other components version?
Can you also share AVC denials you get?
Does the same scenario work in SELinux permissive mode?
Comment 2 Timo Trinks 2023-08-22 23:51:15 UTC 
Hi Zdenek,

It happens on a vanilla, freshly installed F38 desktop with all the latest updates (and recently on F37 as well, with all the latest updates).

I have no meaningful AVC denials to share at this point - not sure where to start troubleshooting.

In essence what's described here:

https://www.reddit.com/r/Fedora/comments/13ftmpk/selinux_sandboxed_firefox_has_no_audio_playback/
https://unix.stackexchange.com/questions/747029/selinux-sandboxed-firefox-has-no-audio

Cheers,

Timo
Comment 3 Zdenek Pytela 2023-11-16 18:35:18 UTC 
Timo,

We need to see AVC denials from audit logs or journal to move further. Are you sure this is SELinux related?

If yes, you can try to disable dontaudit rules:

# semodule -DB
<reproduce>
# semodule -B
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Comment 4 Aoife Moloney 2024-05-22 14:07:40 UTC 
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.