Bug 1015910 - selinux with confined users (staff_u) does not allow audio
selinux with confined users (staff_u) does not allow audio
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-10-06 13:33 EDT by bodhi.zazen
Modified: 2013-10-07 20:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-07 10:17:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
raw avc denials (11.28 KB, text/plain)
2013-10-06 13:33 EDT, bodhi.zazen
no flags Details

  None (edit)
Description bodhi.zazen 2013-10-06 13:33:04 EDT
Created attachment 808583 [details]
raw avc denials

Description of problem: Selinux is preventing staff_u from using audio.

Version-Release number of selected component (if applicable): I found the problem with aucacuious

How reproducible:

Steps to Reproduce:
1. selinux enabled
2. confine user(s) as staff_u
3. attempt to run audacity

Actual results: Audacity does not run

Expected results: Audacity runs and I can play music files

Additional info:

Attaching raw avc denials

myaudacious.te :

module myaudacious 1.0;

require {
	type staff_t;
	type unconfined_t;
	class unix_stream_socket connectto;

#============= staff_t ==============
allow staff_t unconfined_t:unix_stream_socket connectto;
Comment 1 bodhi.zazen 2013-10-06 13:41:30 EDT
note: user_u do not have this problem, only staff_u
Comment 2 Daniel Walsh 2013-10-07 09:50:48 EDT
No it would not work either.  The problem here is the audio server is running as unconfined_t.  Did you start it outside of the service script?
Comment 3 Miroslav Grepl 2013-10-07 10:17:01 EDT
I believe this problem happens if you switch from unconfined_u to staff_u.
Comment 4 bodhi.zazen 2013-10-07 12:53:19 EDT
Thank you both for looking at this report.

I installed Fedora 20 (alpha) and confined my users (user_u and one staff_u).

It is the xcfe spin and the audio server was started automatically, I believe at log in.

At any rate, no, I did not start the server manually.

user_u can use audio without any problem.

only staff_u had a problem with the audio server.
Comment 5 Daniel Walsh 2013-10-07 13:08:43 EDT
bodhi.  Bottom line, if you switched to staff_u and then rebooted it would not have happened.  Perhaps you had a left over process running as unconfined_t (Pulseaudio?) that staff_t was trying to communicate with.
Comment 6 bodhi.zazen 2013-10-07 20:18:19 EDT
Thank you once again for your patience Daniel, rebooting indeed resolved the issue.

Note You need to log in before you can comment on or make changes to this bug.