Bug 667353

Summary: SELinux is preventing /usr/bin/mpd from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0.
Product: [Fedora] Fedora Reporter: infertux
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl, ssabcew
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:298964b06931bd9702c0fab852dbe4dbac702e5d9ce8b6694defa4f0ec0d9f33
Fixed In Version: selinux-policy-3.9.7-25.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-25 20:58:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output of "ausearch -m avc -ts recent" none

Description infertux 2011-01-05 12:02:34 UTC 
SELinux is preventing /usr/bin/mpd from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0.

How to reproduce: 
Set a pulseaudio output in /etc/mpd.conf like this:
audio_output {
    type        "pulse"
    name        "My Pulse Output"
}

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mpd should be allowed connectto access on the X0 unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/bin/mpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:mpd_t:s0
Target Context                system_u:system_r:xserver_t:s0-s0:c0.c1023
Target Objects                @/tmp/.X11-unix/X0 [ unix_stream_socket ]
Source                        mpd
Source Path                   /usr/bin/mpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           dbus-x11-1.4.0-2.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-19.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux I7 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec
                              23 16:04:50 UTC 2010 x86_64 x86_64
Alert Count                   8
First Seen                    Wed 05 Jan 2011 12:42:18 PM CET
Last Seen                     Wed 05 Jan 2011 12:52:53 PM CET
Local ID                      5dafc114-21bb-482f-987b-aa3def0d7ee2

Raw Audit Messages
type=AVC msg=audit(1294228373.536:34854): avc:  denied  { connectto } for  pid=4108 comm="dbus-launch" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket

mpd,mpd_t,xserver_t,unix_stream_socket,connectto
type=SYSCALL msg=audit(1294228373.536:34854): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fff1112cfa0 a2=14 a3=7fff1112cfa3 items=0 ppid=4107 pid=4108 auid=500 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm=dbus-launch exe=/usr/bin/dbus-launch subj=unconfined_u:system_r:mpd_t:s0 key=(null)
mpd,mpd_t,xserver_t,unix_stream_socket,connectto

#============= mpd_t ==============
allow mpd_t xserver_t:unix_stream_socket connectto;
Comment 1 Daniel Walsh 2011-01-05 20:11:51 UTC 
Why would mpd connect to the xserver?
Comment 2 infertux 2011-01-05 20:34:33 UTC 
(In reply to comment #1)
> Why would mpd connect to the xserver?

I agree, mpd should not have to connect to the X server but I have no idea why it does...

I noticed that running the mpd daemon under my current user (by default, it is running under "mpd" user) makes the pulseaudio output working but it's probably not safe and I'm still getting SELinux alerts.

See also: https://bugzilla.redhat.com/show_bug.cgi?id=634699
Comment 3 Daniel Walsh 2011-01-05 21:01:49 UTC 
Does it not work if it runs under the mpd user?
Comment 4 infertux 2011-01-05 21:09:06 UTC 
(In reply to comment #3)
> Does it not work if it runs under the mpd user?

Indeed, I have no sound at all.
I get "mpd: output: Failed to open "My Pulse Output" [pulse]: Cannot connect to PulseAudio server: Connection refused" in /var/log/messages.
Comment 5 Daniel Walsh 2011-01-05 21:38:54 UTC 
If you put the machine into permissive mode what AVC's do  you see?
Comment 6 infertux 2011-01-05 22:34:35 UTC 
In permissive mode and under the "mpd" user, I get 3 AVC.
Here is what I have in /var/log/messages:

dbus: avc:  received setenforce notice (enforcing=0)
setroubleshoot: SELinux is preventing /usr/bin/mpd from connectto access on the unix_stream_socket @/tmp/.X11-unix/X0.
setroubleshoot: SELinux is preventing /usr/bin/mpd from search access on the directory /var/run/gdm.
setroubleshoot: SELinux is preventing /usr/bin/mpd from name_connect access on the tcp_socket port 6000.
mpd: avahi: Service 'Music Player' successfully established.
mpd: output: Failed to open "My Pulse Output" [pulse]: Cannot connect to PulseAudio server: Connection refused
mpd: output: Failed to open "My Pulse Output" [pulse]: Cannot connect to PulseAudio server: Connection refused
(repeating the last line each 10 seconds)
Comment 7 Miroslav Grepl 2011-01-06 12:14:16 UTC 
Afaik there was and probably there is a problem with MPD running under mpd user. 

I gave people a policy workaround which allow MPD run under different user.

https://bugzilla.redhat.com/show_bug.cgi?id=604952#c8
Comment 8 Miroslav Grepl 2011-01-06 12:20:08 UTC 
But I am now trying to run MPD under mpd user and it works for me in permissive mode.

And it works with some policy changes in enforcing mode.

#allow mpd_t xdm_var_run_t:file read;
#allow mpd_t xdm_var_run_t:dir search;
#allow mpd_t xserver_port_t:tcp_socket name_connect;
#allow mpd_t xserver_t:unix_stream_socket connectto

These accesses are not needed.
Comment 9 Miroslav Grepl 2011-01-06 12:22:36 UTC 
Reporter, 
I am not sure why it doesn't work for you. Could you add output of

# ps -eZ | grep mpd

# ps -eZ | grep pulse

just for check.
Comment 10 infertux 2011-01-06 13:12:56 UTC 
I removed gnome-applet-music from my Gnome panel and two AVC seems to be gone. But I'm still getting "SELinux is preventing /usr/bin/mpd from name_connect access on the tcp_socket port 6000." and still no sound :(.

$ getenforce
Permissive

$ grep -v "^#" /etc/mpd.conf | grep -v "^$"
music_directory		"/var/lib/mpd/music"
playlist_directory		"/var/lib/mpd/playlists"
db_file			"/var/lib/mpd/mpd.db"
log_file			"syslog"
state_file			"/var/lib/mpd/mpdstate"
user "mpd"
port				"6600"
log_level			"verbose"
password                        "XX@read,add,control,admin"
default_permissions             "read"
input {
        plugin "curl"
}
audio_output {
	type		"pulse"
	name		"My Pulse Output"
}

$ sudo /etc/init.d/mpd start
Starting The Music Player Daemon: listen: binding to any address
listen: binding to socket address [::]:6600
listen: binding to socket address 0.0.0.0:6600
path: path_set_fs_charset: fs charset is: UTF-8
database: reading DB
daemon: daemonized!
No protocol specified
XOpenDisplay() failed
No protocol specified
XOpenDisplay() failed

$ sudo tail -5 /var/log/messages
Jan  6 13:54:33 XX setroubleshoot: SELinux is preventing /usr/bin/mpd from name_connect access on the tcp_socket port 6000. For complete SELinux messages. run sealert -l bcae7117-e774-4fb9-a3e3-8c8e8e08faa6
Jan  6 13:54:33 XX pulseaudio[10735]: bluetooth-util.c: Error from ListAdapters reply: org.freedesktop.DBus.Error.Spawn.ChildExited
Jan  6 13:54:33 XX pulseaudio[10735]: main.c: Unable to contact D-Bus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally with the following error: No protocol specified
Jan  6 13:54:33 XX pulseaudio[10735]: main.c: Autolaunch error: X11 initialization failed.
Jan  6 13:54:34 XX mpd: avahi: Service 'Music Player' successfully established.

$ ps -eZ | grep mpd
unconfined_u:system_r:mpd_t:s0  10725 ?        00:00:00 mpd

$ ps -eZ | grep pulse
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2391 ? 00:02:46 pulseaudio
Comment 11 Miroslav Grepl 2011-01-06 14:05:44 UTC 
*** Bug 634699 has been marked as a duplicate of this bug. ***
Comment 12 Miroslav Grepl 2011-01-06 14:10:45 UTC 
(In reply to comment #10)
> I removed gnome-applet-music from my Gnome panel and two AVC seems to be gone.
> But I'm still getting "SELinux is preventing /usr/bin/mpd from name_connect
> access on the tcp_socket port 6000." and still no sound :(.
> 

The problem is you are seeing it also in permissive mode so it looks like MPD problem at this moment.
Comment 13 Miroslav Grepl 2011-01-07 13:05:00 UTC 
Fixed in selinux-policy-3.9.7-21.fc14
Comment 14 Fedora Update System 2011-01-20 16:03:53 UTC 
selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
Comment 15 Fedora Update System 2011-01-20 19:54:19 UTC 
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
Comment 16 infertux 2011-01-23 15:18:19 UTC 
Actually, the two AVCs which seemed to have disappeared are back :(.
So, they are not related to gnome-applet-music as I thought.
But "SELinux is preventing /usr/bin/mpd from name_connect access on the tcp_socket port 6000." is gone with selinux-policy-3.9.7-25.fc14.
Here's what I get when I start mpd in permissive mode:

$ sudo tail -5 /var/log/messages
Jan 23 15:46:06 I7 pulseaudio[5538]: main.c: Unable to contact D-Bus: org.freedesktop.DBus.Error.Spawn.ExecFailed: /bin/dbus-launch terminated abnormally with the following error: No protocol specified
Jan 23 15:46:06 I7 pulseaudio[5538]: main.c: Autolaunch error: X11 initialization failed.
Jan 23 15:46:07 I7 mpd: avahi: Service 'Music Player' successfully established.
Jan 23 15:46:08 I7 setroubleshoot: SELinux is preventing /usr/bin/mpd from search access on the directory /var/run/gdm. For complete SELinux messages. run sealert -l 74e53376-7f10-4cbb-b132-c773766a0cbf
Jan 23 15:46:08 I7 setroubleshoot: SELinux is preventing /usr/bin/mpd from name_connect access on the tcp_socket port 6000. For complete SELinux messages. run sealert -l 3f1fa222-0627-43ac-98a9-7ee11b52b5de

$ ls /bin/dbus-launch
ls: cannot access /bin/dbus-launch: No such file or directory

And I still have no sound.
So, I guess it's a pulseaudio bug.

$ yum info pulseaudio  
Installed Packages
Name        : pulseaudio
Arch        : x86_64
Version     : 0.9.21
Release     : 7.fc14
Comment 17 Daniel Walsh 2011-01-24 16:30:15 UTC 
Please attach the output of 

ausearch -m avc -ts recent
Comment 18 infertux 2011-01-24 16:49:19 UTC 
Created attachment 474992 [details]
Output of "ausearch -m avc -ts recent"
Comment 19 Miroslav Grepl 2011-01-24 17:12:11 UTC 
I dit not dontaudit these rules. Will do it.

Anyway your problem is not SELinux.
Comment 20 Fedora Update System 2011-01-25 20:57:19 UTC 
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.