Bug 546030

Summary:	SELinux is preventing the /usr/bin/pulseaudio from using potentially mislabeled files (autospawn.lock).
Product:	[Fedora] Fedora	Reporter:	herra_pilvinen
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	12	CC:	carlg, dwalsh, lpoetter, mgrepl, rstrode
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:ef1dca0c1bd50b0955fd863d4ad65934ba5e4f2c6da304e7042f5de485678135
Fixed In Version:	3.6.32-84.fc12	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-02-11 14:40:19 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description herra_pilvinen 2009-12-09 20:25:38 UTC

Yhteenveto:

SELinux is preventing the /usr/bin/pulseaudio from using potentially mislabeled
files (autospawn.lock).

Yksityiskohtainen kuvaus:

SELinux has denied pulseaudio access to potentially mislabeled file(s)
(autospawn.lock). This means that SELinux will not allow pulseaudio to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Sallitaan pääsy:

If you want pulseaudio to access this files, you need to relabel them using
restorecon -v 'autospawn.lock'. You might want to relabel the entire directory
using restorecon -R -v ''.

Lisätiedot:

Lähdekonteksti               system_u:system_r:xdm_t:s0-s0:c0.c1023
Kohdekonteksti                system_u:object_r:user_tmp_t:s0
Kohdeobjektit                 autospawn.lock [ file ]
Lähde                        pulseaudio
Lähteen polku                /usr/bin/pulseaudio
Portti                        <Tuntematon>
Kone                          (removed)
Lähteen RPM-paketit          pulseaudio-0.9.21-1.fc12
Kohteen RPM-paketit           
Käytännön RPM              selinux-policy-3.6.32-49.fc12
SELinux käytössä           True
Käytännön tyyppi           targeted
Toimeenpanotila               Enforcing
Liitännäisen nimi           home_tmp_bad_labels
Konenimi                      (removed)
Alusta                        Linux Uneksija 2.6.31.5-127.fc12.x86_64 #1 SMP Sat
                              Nov 7 21:11:14 EST 2009 x86_64 x86_64
Varoitusten määrä          1
Ensimmäinen                  la  5. joulukuuta 2009 23.44.12
Viimeisin                     la  5. joulukuuta 2009 23.44.12
Paikallinen tunniste          cdbf4382-b8c8-4c76-b299-65c3ee9a7174
Rivinumerot                   

Muokkaamattomat tarkastusvies 

node=Uneksija type=AVC msg=audit(1260049452.452:6): avc:  denied  { create } for  pid=1649 comm="pulseaudio" name="autospawn.lock" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file

node=Uneksija type=SYSCALL msg=audit(1260049452.452:6): arch=c000003e syscall=2 success=no exit=-13 a0=7f63200009a0 a1=20142 a2=180 a3=fffffff2 items=0 ppid=1639 pid=1649 auid=4294967295 uid=42 gid=473 euid=42 suid=42 fsuid=42 egid=473 sgid=473 fsgid=473 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-49.fc12,home_tmp_bad_labels,pulseaudio,xdm_t,user_tmp_t,file,create
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t user_tmp_t:file create;

Comment 1 Daniel Walsh 2009-12-09 21:25:22 UTC

Are you logged in as the context xdm_t?

id -Z

Comment 2 Daniel Walsh 2009-12-09 21:58:42 UTC

THis looks like pulseaudit is trying to create autospawn.lock in a directory previosly created by a user?

Comment 3 Ray Strode [halfline] 2009-12-09 22:25:44 UTC

seems unlikely quickly browsing the code.

I see something like

k = pa_sprintf_malloc("%s/%s-runtime", get_pulse_home (), get_machine_id ());

so it doesn't seem like a dir a user would create

But I don't know how this stuff works, cc'ing lennart

Comment 4 Lennart Poettering 2009-12-17 15:04:19 UTC

hmm, we create that lock file in a dir in /tmp. The name of that dir is randomly chosen, and verified to belong to us, so it should be set up properly.

Comment 5 Daniel Walsh 2009-12-17 15:52:11 UTC

So the directory is shared between all users of pulseaudio even if pulseaudio is running as root? Versus a non root UID?

Comment 6 Carl G. 2010-01-17 02:59:11 UTC

---

Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 7 Daniel Walsh 2010-01-18 16:43:25 UTC

Miroslav, lets just allow this access.

userdom_manage_user_tmp_files(xdm_t)

Comment 8 Miroslav Grepl 2010-02-01 13:16:17 UTC

Fixed in selinux-policy-3.6.32-80.fc12

Comment 9 Fedora Update System 2010-02-03 23:18:16 UTC

selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12

Comment 10 Fedora Update System 2010-02-05 01:42:41 UTC

selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492

Comment 11 Fedora Update System 2010-02-11 14:35:22 UTC

selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.