Bug 602768
Summary: | [abrt] crash in pulseaudio-0.9.21-6.fc13: raise: Process /usr/bin/pulseaudio was killed by signal 6 (SIGABRT) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mike Bonnet <mikeb> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 13 | CC: | casmls, dwalsh, lkundrak, lpoetter, mgrepl | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | abrt_hash:08e9ebe8d0709cd55480c8a42be8589232e35d8d | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-10-04 11:47:26 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Mike Bonnet
2010-06-10 17:33:28 UTC
Created attachment 422987 [details]
File: backtrace
This is working for me on F14. Miroslav can you try this out on F13? Ok, I am seeing the same issue. 1. I am trying: # sandbox -X -t sandbox_web_t firefox # Navigate to a website that plays audio (I used youtube) and it still wants to donwload flash-plugin. I am seeing in permissive mode type=AVC msg=audit(1276770224.529:266): avc: denied { write } for pid=13591 comm="npconfig" name="nswrapper_32_32.libflashplayer.so" dev=dm-0 ino=1187580 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c823,c928 tcontext=unconfined_u:object_r:nsplugin_rw_t:s0:c579,c615 tclass=file # ausearch -m avc -ts recent | audit2allow #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow sandbox_web_client_t nsplugin_rw_t:file { read write execute unlink }; 2. I am trying the second case 1. Navigate to a website that plays audio outside sandbox (I used youtube) 2. Run sandbox -X -t sandbox_web_t firefox 3. Navigate to a website that plays audio (I used youtube) 4. Switch to enforce mode 5. Pulseaudio crashes Ok I think we need nsplugin_dontaudit_write_rw_files(sandbox_web_type) Since we should force people to install plugins outside of sandbox. This is working on F14. Miroslav can you disable dontaudites and see if something is being denied to pulseaudio. I just want to be clear that this isn't a plugin problem, or a flash problem. The pulseaudio crash is reproduceable when anything in the sandbox tries to play audio. It is reproduceable when running: sandbox -X -t sandbox_web_t totem /usr/share/sounds/gnome/default/alerts/bark.ogg (In reply to comment #6) > This is working on F14. Miroslav can you disable dontaudites and see if > something is being denied to pulseaudio. Ok, I got it. type=AVC msg=audit(1276854743.036:91651): avc: denied { write } for pid=14490 comm="pulseaudio" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3986 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=SYSCALL msg=audit(1276854743.036:91651): arch=c000003e syscall=1 success=no exit=-13 a0=17 a1=7ff70c6182a0 a2=8 a3=6 items=0 ppid=1 pid=14490 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 key=(null) type=ANOM_ABEND msg=audit(1276854743.038:91652): auid=500 uid=500 gid=500 ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 pid=14490 comm="pulseaudio" sig=6 so fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) is culprit. Changing it to allow makes it work? Rawhide has sesearch -A -s sandbox_web_t -t anon_inodefs_t --dontaudit Found 3 semantic av rules: allow sandbox_x_domain anon_inodefs_t : file { ioctl read getattr lock open } ; allow sandbox_x_domain anon_inodefs_t : dir { getattr search open } ; allow sandbox_x_domain file_type : file entrypoint ; sesearch -s sandbox_web_type -t anon_inodefs_t --dontaudit Found 3 semantic av rules: dontaudit sandbox_web_type anon_inodefs_t : file { ioctl read write getattr lock append open } ; dontaudit sandbox_web_type file_type : dir getattr ; dontaudit sandbox_web_type filesystem_type : filesystem getattr ; And it works there? Yes, this is strange but it looks like it works with fs_rw_anon_inodefs_files(sandbox_web_client_t) Mike, could you try to add the following local policy and test it # cat > local.te << EOF policy_module(local, 1.0) require{ type sandbox_web_client_t; } fs_rw_anon_inodefs_files(sandbox_web_client_t) EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp Thanks. Yes, this is strange but it looks like it works with fs_rw_anon_inodefs_files(sandbox_web_client_t) Mike, could you try to add the following local policy and test it # cat > local.te << EOF policy_module(local, 1.0) require{ type sandbox_web_client_t; } fs_rw_anon_inodefs_files(sandbox_web_client_t) EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp Thanks. Well if that fixes it, Make the change. I don't think that access is a big threat. I will leave it as dontaudit in Rawhide, since it does not seem to cause problems there. Maybe a newer version of pulseaudio does not crash when denied this access. After the update today, sound within sandboxes works for me. (updated policy to selinux-policy-3.7.19-33.fc13.noarch) Thanks! |