Bug 443378

Summary: mplayer policy
Product: [Fedora] Fedora Reporter: Dominick Grift <domg444>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-21 17:07:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dominick Grift 2008-04-21 09:07:44 UTC
Description of problem:
staff cant read /etc/mplayer/mplayer.conf (mplayer_etc_t)
staff does not run mplayer in its domain (per role template not called)
per role template is missing a require (mplayer_etc_t)
once staff runs mplayer in its domain mplayer cannot run due to:
The flip-hebrew option can't be used in a config file.
Error parsing option flip-hebrew=no at line 133

if you comment out that directive in /etc/mplayer/mplayer.conf it runs

How reproducible:
try to  read mplayer_etc_t as staff_t
notice you cannot run mplayer in its domain (per role template is notcalled)
in the per role template for mplayer (mplayer.if , in the gen_require block
there is no type mplayer_etc_t and therefore the module does not compile if it
is called (error)
once everything does run , mplayer quits because there  is a directive in
/etc/mplayer/mplayer.conf tht  is not allowed there (if you comment that
directive out it works)

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Dominick Grift 2008-04-21 10:59:11 UTC
after that there are some more issues, for example i had to add:

dev_read_urand($1_mplayer_t)

and after that it wanted to connect to pulseaudio (/tmp/pulse-dgrift1/native)
but that is a userdomain type object:

type=AVC msg=audit(1208774477.818:8367): avc:  denied  { write } for  pid=11347
comm="mplayer" name="native" dev=dm-1 ino=2842708
scontext=staff_u:staff_r:staff_mplayer_t:s0
tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file


Without that this mplayer works but without pa i think as i get some error output:

E: shm.c: shm_open() failed: Function not implemented
*** PULSEAUDIO: Unable to connect: Connection refused
*** Is your sound server running?
*** See: http://www.pulseaudio.org/wiki/Troubleshooting
[AO_ALSA] Playback open error: Connection refused


Comment 2 Daniel Walsh 2008-04-21 17:07:59 UTC
Fixed in selinux-policy-3.3.1-37.fc9.noarch