Bug 602768

Summary: [abrt] crash in pulseaudio-0.9.21-6.fc13: raise: Process /usr/bin/pulseaudio was killed by signal 6 (SIGABRT)
Product: [Fedora] Fedora Reporter: Mike Bonnet <mikeb>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: casmls, dwalsh, lkundrak, lpoetter, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:08e9ebe8d0709cd55480c8a42be8589232e35d8d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-04 11:47:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace none

Description Mike Bonnet 2010-06-10 17:33:28 UTC 
abrt 1.1.1 detected a crash.

architecture: x86_64
Attached file: backtrace
cmdline: /usr/bin/pulseaudio --start --log-target=syslog
component: pulseaudio
crash_function: raise
executable: /usr/bin/pulseaudio
global_uuid: 08e9ebe8d0709cd55480c8a42be8589232e35d8d
kernel: 2.6.32.12-115.fc12.x86_64
package: pulseaudio-0.9.21-6.fc13
rating: 4
reason: Process /usr/bin/pulseaudio was killed by signal 6 (SIGABRT)
release: Fedora release 13 (Goddard)

comment
-----
I was running firefox in a SELinux sandbox (/usr/bin/sandbox is provided by policycoreutils-python).  As soon as firefox tries to play audio, pulseaudio crashes.  There are also error messages from pulseaudio in /var/og/messages:

Jun 10 13:25:18 maunalani pulseaudio[3115]: bluetooth-util.c: Error from ListAdapters reply: org.freedesktop.DBus.Error.AccessDenied
Jun 10 13:25:18 maunalani pulseaudio[3115]: fdsem.c: Invalid read from pipe: Permission denied
Jun 10 13:25:18 maunalani pulseaudio[3115]: fdsem.c: Code should not be reached at pulsecore/fdsem.c:208, function pa_fdsem_post(). 
Aborting.

It is not expected that I'm able to hear audio from a sandbox'ed app (selinux is blocking the sandboxed app from interacting with pulseaudio.  It's also not expected that pulseaudio (outside the sandbox) abort when an app in the sandbox tries to connect to it.

How to reproduce
-----
1. Run sandbox -X -t sandbox_web_t firefox
2. Navigate to a website that plays audio (I used youtube)
3. Pulseaudio crashes
Comment 1 Mike Bonnet 2010-06-10 17:33:30 UTC 
Created attachment 422987 [details]
File: backtrace
Comment 2 Daniel Walsh 2010-06-16 15:34:26 UTC 
This is working for me on F14.

Miroslav can you try this out on F13?
Comment 3 Miroslav Grepl 2010-06-17 10:39:47 UTC 
Ok, I am seeing the same issue.

1. I am trying:  

# sandbox -X -t sandbox_web_t firefox
# Navigate to a website that plays audio (I used youtube)

and it still wants to donwload flash-plugin. 

I am seeing in permissive mode

type=AVC msg=audit(1276770224.529:266): avc:  denied  { write } for  pid=13591 comm="npconfig" name="nswrapper_32_32.libflashplayer.so" dev=dm-0 ino=1187580 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c823,c928 tcontext=unconfined_u:object_r:nsplugin_rw_t:s0:c579,c615 tclass=file

# ausearch -m avc -ts recent | audit2allow

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow sandbox_web_client_t nsplugin_rw_t:file { read write execute unlink };
Comment 4 Miroslav Grepl 2010-06-17 10:51:51 UTC 
2. I am trying the second case

1. Navigate to a website that plays audio outside sandbox (I used youtube) 
2. Run sandbox -X -t sandbox_web_t firefox
3. Navigate to a website that plays audio (I used youtube)
4. Switch to enforce mode
5. Pulseaudio crashes
Comment 5 Daniel Walsh 2010-06-17 14:48:47 UTC 
Ok I think we need

	nsplugin_dontaudit_write_rw_files(sandbox_web_type)

Since we should force people to install plugins outside of sandbox.
Comment 6 Daniel Walsh 2010-06-17 15:00:33 UTC 
This is working on F14.  Miroslav can you disable dontaudites and see if something is being denied to pulseaudio.
Comment 7 Mike Bonnet 2010-06-17 15:10:36 UTC 
I just want to be clear that this isn't a plugin problem, or a flash problem.  The pulseaudio crash is reproduceable when anything in the sandbox tries to play audio.  It is reproduceable when running:

sandbox -X -t sandbox_web_t totem /usr/share/sounds/gnome/default/alerts/bark.ogg
Comment 8 Miroslav Grepl 2010-06-18 10:08:12 UTC 
(In reply to comment #6)
> This is working on F14.  Miroslav can you disable dontaudites and see if
> something is being denied to pulseaudio.    

Ok, I got it.

type=AVC msg=audit(1276854743.036:91651): avc:  denied  { write } for  pid=14490 comm="pulseaudio" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3986 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file

type=SYSCALL msg=audit(1276854743.036:91651): arch=c000003e syscall=1 success=no exit=-13 a0=17 a1=7ff70c6182a0 a2=8 a3=6 items=0 ppid=1 pid=14490 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 key=(null)
type=ANOM_ABEND msg=audit(1276854743.038:91652): auid=500 uid=500 gid=500 ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 pid=14490 comm="pulseaudio" sig=6

so 

fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)

is culprit.
Comment 9 Daniel Walsh 2010-06-18 15:24:24 UTC 
Changing it to allow makes it work?

Rawhide has

sesearch -A -s sandbox_web_t -t anon_inodefs_t --dontaudit
Found 3 semantic av rules:
   allow sandbox_x_domain anon_inodefs_t : file { ioctl read getattr lock open } ; 
   allow sandbox_x_domain anon_inodefs_t : dir { getattr search open } ; 
   allow sandbox_x_domain file_type : file entrypoint ; 

 sesearch -s sandbox_web_type -t anon_inodefs_t --dontaudit
Found 3 semantic av rules:
   dontaudit sandbox_web_type anon_inodefs_t : file { ioctl read write getattr lock append open } ; 
   dontaudit sandbox_web_type file_type : dir getattr ; 
   dontaudit sandbox_web_type filesystem_type : filesystem getattr ;

And it works there?
Comment 10 Miroslav Grepl 2010-06-22 07:34:47 UTC 
Yes, this is strange but it looks like it works with

fs_rw_anon_inodefs_files(sandbox_web_client_t)

Mike,
could you try to add the following local policy and test it

# cat > local.te << EOF
policy_module(local, 1.0)

require{
type sandbox_web_client_t;
}
fs_rw_anon_inodefs_files(sandbox_web_client_t)
EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp


Thanks.
Comment 11 Miroslav Grepl 2010-06-22 07:34:47 UTC 
Yes, this is strange but it looks like it works with

fs_rw_anon_inodefs_files(sandbox_web_client_t)

Mike,
could you try to add the following local policy and test it

# cat > local.te << EOF
policy_module(local, 1.0)

require{
type sandbox_web_client_t;
}
fs_rw_anon_inodefs_files(sandbox_web_client_t)
EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp


Thanks.
Comment 12 Daniel Walsh 2010-06-22 12:37:50 UTC 
Well if that fixes it, Make the change.  I don't think that access is a big threat.  I will leave it as dontaudit in Rawhide, since it does not seem to cause problems there.

Maybe a newer version of pulseaudio does not crash when denied this access.
Comment 13 Christoph A. 2010-07-03 11:51:58 UTC 
After the update today, sound within sandboxes works for me.
(updated policy to selinux-policy-3.7.19-33.fc13.noarch)

Thanks!