| Summary: | mpd prevented from playing music | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Raphael Groner <projects.rg> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-24 08:57:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
What kind of stream is accepting connections on tcp:9907? Is it normal for stream services to accept connections on port tcp:9907? I guess were running into the same issue as we did with telepathy where eventually it may be better to just allow mpd to connect to just any port. nothing changed to the default configuration values … The easiest fix might be to execute # semanage port -a -t sound_port_t -p tcp 9907 But is this a standard port for music to be shared on? # semanage port -a -t sound_port_t -p tcp 9907
{no output for several secons but cpu usage 100% …}
libsepol.context_from_record: type sound_port_t is not defined (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsepol.port_from_record: could not create port structure for range 9907:9907 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 9907 - 9907 (tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value (Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local modifications into policy (Invalid argument).
/usr/sbin/semanage: semanage-Transaktion konnte nicht gestartet werden
# semanage port -a -t soundd_port_t -p tcp 9907 Will work. Also could you try to execute # grep -C 2 9907 /etc/mpd.conf # semanage port -a -t soundd_port_t -p tcp 9907 -> Worked but 100% cpu usage for some seconds, no output any more. # grep -C 2 9907 /etc/mpd.conf -> nothing Ok, I am closing this bug for now. If we see a similar bug, we will add a patch. Thank you. |
Description of problem: SELinux prevents mpd to play music. Version-Release number of selected component (if applicable): selinux-policy-3.9.7-40.fc14.noarch mpd-0.15.12-1.fc14.x86_64 How reproducible: always Steps to Reproduce: 1. start Ario 2. play a stream 3. double click the stream entry in the playlist twice Actual results: SELinux pops up. Expected results: No SELinux warnings, music listening. Additional info: SELinux is preventing /usr/bin/mpd from name_connect access on the tcp_socket port 9907. ***** Plugin connect_ports (92.2 confidence) suggests ********************** If you want to allow /usr/bin/mpd to connect to network port 9907 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 9907 where PORT_TYPE is one of the following: ldap_port_t, dns_port_t, http_cache_port_t, http_port_t, pulseaudio_port_t, soundd_port_t, kerberos_port_t, ocsp_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ******************* If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'allow_ypbind' boolean. Do setsebool -P allow_ypbind 1 ***** Plugin catchall (1.41 confidence) suggests *************************** If you believe that mpd should be allowed name_connect access on the port 9907 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:mpd_t:s0 Zielkontext system_u:object_r:port_t:s0 Zielobjekte port 9907 [ tcp_socket ] Quelle mpd Quellpfad /usr/bin/mpd Port 9907 Host lokalhorst.lokal RPM-Pakete der Quelle mpd-0.15.12-1.fc14 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.9.7-40.fc14 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Enforcing Rechnername lokalhorst.lokal Plattform Linux lokalhorst.lokal 2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06 UTC 2011 x86_64 x86_64 Anzahl der Alarme 2 Zuerst gesehen Mo 23 Mai 2011 22:54:41 CEST Zuletzt gesehen Mo 23 Mai 2011 22:54:46 CEST Lokale ID 2a1c37bb-4e7d-4b09-b943-dd2fefc724ec Raw-Audit-Meldungen type=AVC msg=audit(1306184086.314:81): avc: denied { name_connect } for pid=20706 comm="mpd" dest=9907 scontext=system_u:system_r:mpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1306184086.314:81): arch=x86_64 syscall=connect success=no exit=EACCES a0=b a1=7f706f77c790 a2=10 a3=0 items=0 ppid=1 pid=20706 auid=4294967295 uid=492 gid=482 euid=492 suid=492 fsuid=492 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm=mpd exe=/usr/bin/mpd subj=system_u:system_r:mpd_t:s0 key=(null) Hash: mpd,mpd_t,port_t,tcp_socket,name_connect audit2allow #============= mpd_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow mpd_t port_t:tcp_socket name_connect; audit2allow -R #============= mpd_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow mpd_t port_t:tcp_socket name_connect;