Bug 1005453 - SELinux is preventing /usr/bin/pulseaudio from using the 'setcap' accesses on a process.
SELinux is preventing /usr/bin/pulseaudio from using the 'setcap' accesses on...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
20
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:a10e33b9e2ab6b7f4791ebf4840...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-07 01:02 EDT by Sai Kiran Kanuri
Modified: 2014-03-21 05:25 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-135.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-21 05:25:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sai Kiran Kanuri 2013-09-07 01:02:45 EDT
Description of problem:
Installed MPD.
SELinux is preventing /usr/bin/pulseaudio from using the 'setcap' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that pulseaudio should be allowed setcap access on processes labeled mpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pulseaudio /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mpd_t:s0
Target Context                system_u:system_r:mpd_t:s0
Target Objects                 [ process ]
Source                        pulseaudio
Source Path                   /usr/bin/pulseaudio
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pulseaudio-3.0-10.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.10-200.fc19.x86_64 #1 SMP Thu
                              Aug 29 19:05:45 UTC 2013 x86_64 x86_64
Alert Count                   15
First Seen                    2013-08-30 23:50:12 IST
Last Seen                     2013-09-06 23:20:04 IST
Local ID                      9484e819-ed01-49b1-b520-76e7a7189038

Raw Audit Messages
type=AVC msg=audit(1378489804.139:577): avc:  denied  { setcap } for  pid=1550 comm="pulseaudio" scontext=system_u:system_r:mpd_t:s0 tcontext=system_u:system_r:mpd_t:s0 tclass=process


type=SYSCALL msg=audit(1378489804.139:577): arch=x86_64 syscall=capset success=yes exit=0 a0=13ee044 a1=13ee04c a2=13ee040 a3=0 items=0 ppid=1441 pid=1550 auid=4294967295 uid=987 gid=985 euid=987 suid=987 fsuid=987 egid=985 sgid=985 fsgid=985 ses=4294967295 tty=(none) comm=pulseaudio exe=/usr/bin/pulseaudio subj=system_u:system_r:mpd_t:s0 key=(null)

Hash: pulseaudio,mpd_t,mpd_t,process,setcap

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.10-200.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-09-07 07:41:38 EDT
I guess mpd should transition to pulseaudio?

Miroslav have we tried this in the past?
Comment 2 Miroslav Grepl 2013-09-09 13:21:57 EDT
AFAIK yes and it caused issues. We could try to re-test it. Basically the idea is we have pulseaudio running in the caller domain.

gpg.te:	pulseaudio_exec(gpg_pinentry_t)
mozilla.te:	pulseaudio_exec(mozilla_t)
mozilla.te:	pulseaudio_exec(mozilla_plugin_t)
mpd.te:	pulseaudio_exec(mpd_t)
nsplugin.te:	pulseaudio_exec(nsplugin_t)
Comment 3 Daniel Walsh 2013-09-10 11:29:41 EDT
Ok then lets add the access.
Comment 4 Fedora Update System 2013-09-12 05:09:36 EDT
selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19
Comment 5 Fedora Update System 2013-09-12 20:58:47 EDT
Package selinux-policy-3.12.1-74.3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-09-13 22:30:48 EDT
selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 vaxon 2014-02-24 14:19:25 EST
This still happens on Fedora 20:

SELinux is preventing /usr/bin/pulseaudio from using the setcap access on a process.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that pulseaudio should be allowed setcap access on processes labeled mozilla_plugin_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pulseaudio /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Objects                 [ process ]
Source                        pulseaudio
Source Path                   /usr/bin/pulseaudio
Port                          <Unknown>
Host                          black.localnet
Source RPM Packages           pulseaudio-4.0-9.gitf81e3.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     black.localnet
Platform                      Linux black.localnet 3.13.3-201.fc20.x86_64 #1 SMP
                              Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-02-24 18:15:02 MSK
Last Seen                     2014-02-24 18:16:07 MSK
Local ID                      f73354f7-6756-4d9c-8c28-3d52fe89402f

Raw Audit Messages
type=AVC msg=audit(1393251367.345:463): avc:  denied  { setcap } for  pid=20609 comm="pulseaudio" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1393251367.345:463): arch=x86_64 syscall=capset success=no exit=EACCES a0=25cd044 a1=25cd04c a2=25cd040 a3=386061c310 items=0 ppid=20574 pid=20609 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 ses=1 tty=(none) comm=pulseaudio exe=/usr/bin/pulseaudio subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: pulseaudio,mozilla_plugin_t,mozilla_plugin_t,process,setcap

Thanks,
Val.
Comment 8 Daniel Walsh 2014-02-24 16:38:48 EST
c027ce43185d1c8ae31d95921363d6c0607daeae allows this in git.
Comment 9 vaxon 2014-02-25 09:11:40 EST
(In reply to vaxon from comment #7)
> This still happens on Fedora 20:
> 
> SELinux is preventing /usr/bin/pulseaudio from using the setcap access on a
> process.
> 
> *****  Plugin mozplugger (99.1 confidence) suggests  
> ************************
> 
> If you want to use the plugin package
> Then you must turn off SELinux controls on the Firefox plugins.
> Do
> # setsebool -P unconfined_mozilla_plugin_transition 0
> 
> *****  Plugin catchall (1.81 confidence) suggests  
> **************************
> 
> If you believe that pulseaudio should be allowed setcap access on processes
> labeled mozilla_plugin_t by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep pulseaudio /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> Additional Information:
> Source Context               
> unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
>                               0.c1023
> Target Context               
> unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
>                               0.c1023
> Target Objects                 [ process ]
> Source                        pulseaudio
> Source Path                   /usr/bin/pulseaudio
> Port                          <Unknown>
> Host                          black.localnet
> Source RPM Packages           pulseaudio-4.0-9.gitf81e3.fc20.x86_64
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     black.localnet
> Platform                      Linux black.localnet 3.13.3-201.fc20.x86_64 #1
> SMP
>                               Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64
> Alert Count                   2
> First Seen                    2014-02-24 18:15:02 MSK
> Last Seen                     2014-02-24 18:16:07 MSK
> Local ID                      f73354f7-6756-4d9c-8c28-3d52fe89402f
> 
> Raw Audit Messages
> type=AVC msg=audit(1393251367.345:463): avc:  denied  { setcap } for 
> pid=20609 comm="pulseaudio"
> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023
> tclass=process
> 
> 
> type=SYSCALL msg=audit(1393251367.345:463): arch=x86_64 syscall=capset
> success=no exit=EACCES a0=25cd044 a1=25cd04c a2=25cd040 a3=386061c310
> items=0 ppid=20574 pid=20609 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001
> fsuid=1001 egid=1001 sgid=1001 fsgid=1001 ses=1 tty=(none) comm=pulseaudio
> exe=/usr/bin/pulseaudio
> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
> 
> Hash: pulseaudio,mozilla_plugin_t,mozilla_plugin_t,process,setcap
> 
> Thanks,
> Val.

Somehow, removing ~/.config/pulse/ seems to have fixed the problem.

Thanks,
Val.
Comment 10 Fedora Update System 2014-03-12 03:19:04 EDT
selinux-policy-3.12.1-135.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-135.fc20
Comment 11 Fedora Update System 2014-03-13 01:09:59 EDT
Package selinux-policy-3.12.1-135.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-135.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3813/selinux-policy-3.12.1-135.fc20
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2014-03-21 05:25:01 EDT
selinux-policy-3.12.1-135.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.