1037539 – speech-dispatcher runs as init_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1037539 - speech-dispatcher runs as init_t

Summary: speech-dispatcher runs as init_t

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	nopolicy 1042890
Blocks:	848829 1241446
TreeView+	depends on / blocked

Reported:	2013-12-03 10:40 UTC by Milos Malik
Modified:	2016-04-05 15:53 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1241446 (view as bug list)
Environment:
Last Closed:	2016-04-05 15:53:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Milos Malik 2013-12-03 10:40:08 UTC

Description of problem:
 * speech-dispatcher uses too powerful SELinux domain

Version-Release number of selected component (if applicable):
speech-dispatcher-0.7.1-13.el7.x86_64
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service speech-dispatcherd status
Redirecting to /bin/systemctl status  speech-dispatcherd.service
speech-dispatcherd.service - Speech-Dispatcher an high-level device independent layer for speech synthesis.
   Loaded: loaded (/usr/lib/systemd/system/speech-dispatcherd.service; disabled)
   Active: inactive (dead)

# service speech-dispatcherd start
Redirecting to /bin/systemctl start  speech-dispatcherd.service
# service speech-dispatcherd status
Redirecting to /bin/systemctl status  speech-dispatcherd.service
speech-dispatcherd.service - Speech-Dispatcher an high-level device independent layer for speech synthesis.
   Loaded: loaded (/usr/lib/systemd/system/speech-dispatcherd.service; disabled)
   Active: active (running) since Tue 2013-12-03 11:37:31 CET; 1s ago
  Process: 19127 ExecStart=/usr/bin/speech-dispatcher -d (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/speech-dispatcherd.service
           ├─19133 [sd_dummy]
           └─19135 /usr/bin/speech-dispatcher -d

Dec 03 11:37:30 rhel70.localdomain speech-dispatcher[19127]: [Tue Dec  3 11:3...
Dec 03 11:37:31 rhel70.localdomain systemd[1]: Started Speech-Dispatcher an ....
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep speech-dispatcher
system_u:system_r:init_t:s0     root     19135     1  0 11:37 ?        00:00:00 /usr/bin/speech-dispatcher -d
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19149 2416  0 11:37 pts/0 00:00:00 grep --color=auto speech-dispatcher
#

Actual results:
 * speech-dispatcher runs as init_t

Expected results:
 * speech-dispatcher runs in its own SELinux domain

Comment 1 Lukas Vrabec 2013-12-20 14:34:53 UTC

commit c0c42f70b277e26e21c75c8d8f2eb3725ebdb981
Author: Lukas Vrabec <lvrabec>
Date:   Fri Dec 20 15:22:01 2013 +0100

    Added new policy for speech-dispatcher

Comment 2 Milos Malik 2014-01-21 21:14:58 UTC

There are no AVCs but it's not possible to start speech-dispatcherd service in enforcing mode. The service can be started in permissive mode and here are the AVCs:

----
type=PATH msg=audit(01/21/2014 22:09:41.657:811) : item=1 name=/root/.speech-dispatcher inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE 
type=PATH msg=audit(01/21/2014 22:09:41.657:811) : item=0 name=/root/ inode=16818305 dev=fd:03 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=CWD msg=audit(01/21/2014 22:09:41.657:811) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.657:811) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x1049970 a1=0700 a2=0x1049970 a3=0x7fff12a32a10 items=2 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc:  denied  { create } for  pid=7293 comm=speech-dispatch name=.speech-dispatcher scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc:  denied  { add_name } for  pid=7293 comm=speech-dispatch name=.speech-dispatcher scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc:  denied  { write } for  pid=7293 comm=speech-dispatch name=root dev="vda3" ino=16818305 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc:  denied  { dac_override } for  pid=7293 comm=speech-dispatch capability=dac_override  scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:system_r:speech-dispatcher_t:s0 tclass=capability 
----
type=PATH msg=audit(01/21/2014 22:09:41.660:812) : item=1 name=/root/.speech-dispatcher/pid/speech-dispatcher.pid inode=25676487 dev=fd:03 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE 
type=PATH msg=audit(01/21/2014 22:09:41.660:812) : item=0 name=/root/.speech-dispatcher/pid/ inode=25179993 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=CWD msg=audit(01/21/2014 22:09:41.660:812) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.660:812) : arch=x86_64 syscall=open success=yes exit=3 a0=0x1049900 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x1 items=2 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.660:812) : avc:  denied  { write open } for  pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/pid/speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(01/21/2014 22:09:41.660:812) : avc:  denied  { create } for  pid=7293 comm=speech-dispatch name=speech-dispatcher.pid scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file 
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.661:813) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7fff12a323f0 a2=0x7fff12a323f0 a3=0x0 items=0 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.661:813) : avc:  denied  { getattr } for  pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/pid/speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file 
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.661:814) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x3 a1=F_SETLK a2=0x7fff12a32c00 a3=0x7fff12a329c0 items=0 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.661:814) : avc:  denied  { lock } for  pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/pid/speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file 
----
type=PATH msg=audit(01/21/2014 22:09:41.661:815) : item=1 name=/root/.speech-dispatcher/log//speechd.log inode=69156 dev=fd:03 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE 
type=PATH msg=audit(01/21/2014 22:09:41.661:815) : item=0 name=/root/.speech-dispatcher/log// inode=32188 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=CWD msg=audit(01/21/2014 22:09:41.661:815) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.661:815) : arch=x86_64 syscall=open success=yes exit=7 a0=0x104c580 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x70732f2f676f6c2f items=2 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.661:815) : avc:  denied  { append } for  pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/log/speechd.log dev="vda3" ino=69156 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file 
----
type=PATH msg=audit(01/21/2014 22:09:41.662:816) : item=1 name=(null) inode=17427267 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(01/21/2014 22:09:41.662:816) : item=0 name=/usr/lib64/speech-dispatcher-modules/sd_espeak inode=1713993 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.662:816) :  cwd=/ 
type=EXECVE msg=audit(01/21/2014 22:09:41.662:816) : argc=2 a1=/etc/speech-dispatcher/modules//espeak.conf 
type=SYSCALL msg=audit(01/21/2014 22:09:41.662:816) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x104c8f0 a1=0x7fff12a2fa40 a2=0x7fff12a32e10 a3=0x7fff12a31870 items=2 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.662:816) : avc:  denied  { execute_no_trans } for  pid=7295 comm=speech-dispatch path=/usr/lib64/speech-dispatcher-modules/sd_espeak dev="vda3" ino=1713993 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file 
----
type=PATH msg=audit(01/21/2014 22:09:41.733:817) : item=0 name=/root/.config/pulse/client.conf objtype=UNKNOWN 
type=CWD msg=audit(01/21/2014 22:09:41.733:817) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.733:817) : arch=x86_64 syscall=open success=no exit=-2(No such file or directory) a0=0xddef20 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.733:817) : avc:  denied  { search } for  pid=7295 comm=sd_espeak name=pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir 
----
type=PATH msg=audit(01/21/2014 22:09:41.735:818) : item=0 name=/root/.config/pulse/cookie inode=25668792 dev=fd:03 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.735:818) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.735:818) : arch=x86_64 syscall=open success=yes exit=11 a0=0xdde920 a1=O_RDONLY|O_NOCTTY|O_CLOEXEC a2=0x180 a3=0x7fff5c60ce00 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.735:818) : avc:  denied  { open } for  pid=7295 comm=sd_espeak path=/root/.config/pulse/cookie dev="vda3" ino=25668792 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=file 
type=AVC msg=audit(01/21/2014 22:09:41.735:818) : avc:  denied  { read } for  pid=7295 comm=sd_espeak name=cookie dev="vda3" ino=25668792 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=file 
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.735:819) : arch=x86_64 syscall=fcntl success=no exit=-9(Bad file descriptor) a0=0xb a1=F_SETLKW a2=0x7fff5c60d020 a3=0x7fff5c60ce30 items=0 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.735:819) : avc:  denied  { lock } for  pid=7295 comm=sd_espeak path=/root/.config/pulse/cookie dev="vda3" ino=25668792 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=file 
----
type=PATH msg=audit(01/21/2014 22:09:41.735:820) : item=0 name=/dev/shm/ inode=5752 dev=00:11 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.735:820) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.735:820) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f8b75116150 a1=0x7fff5c60cf40 a2=0x1 a3=0x7fff5c60ccc0 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.735:820) : avc:  denied  { getattr } for  pid=7295 comm=sd_espeak name=/ dev="tmpfs" ino=5752 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem 
----
type=PATH msg=audit(01/21/2014 22:09:41.736:821) : item=0 name=/root/.config/pulse inode=25572285 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.736:821) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.736:821) : arch=x86_64 syscall=open success=yes exit=10 a0=0xddea50 a1=O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC a2=0xffffffff a3=0x7fff5c60cef0 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.736:821) : avc:  denied  { open } for  pid=7295 comm=sd_espeak path=/root/.config/pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir 
type=AVC msg=audit(01/21/2014 22:09:41.736:821) : avc:  denied  { read } for  pid=7295 comm=sd_espeak name=pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.736:822) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xa a1=0x7fff5c60d160 a2=0x7fff5c60d160 a3=0x7fff5c60cef0 items=0 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.736:822) : avc:  denied  { getattr } for  pid=7295 comm=sd_espeak path=/root/.config/pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir 
----
type=PATH msg=audit(01/21/2014 22:09:41.736:823) : item=0 name=(null) inode=25572285 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL 
type=SYSCALL msg=audit(01/21/2014 22:09:41.736:823) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xa a1=0x0 a2=0x0 a3=0x7fff5c60cef0 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.736:823) : avc:  denied  { setattr } for  pid=7295 comm=sd_espeak name=pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir 
----
type=PATH msg=audit(01/21/2014 22:09:41.737:824) : item=0 name=/root/.config/pulse/52107acb55482f46398d06f35ed37412-runtime inode=25676480 dev=fd:03 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.737:824) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.737:824) : arch=x86_64 syscall=readlink success=yes exit=23 a0=0xddefa0 a1=0xddea50 a2=0x63 a3=0x7fff5c60d000 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.737:824) : avc:  denied  { read } for  pid=7295 comm=sd_espeak name=52107acb55482f46398d06f35ed37412-runtime dev="vda3" ino=25676480 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=lnk_file 
----
type=PATH msg=audit(01/21/2014 22:09:41.738:825) : item=0 name=/root/.config inode=20141882 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:config_home_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.738:825) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.738:825) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0xdd39b0 a1=0x7fff5c60d210 a2=0x7fff5c60d210 a3=0x1 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.738:825) : avc:  denied  { getattr } for  pid=7295 comm=sd_espeak path=/root/.config dev="vda3" ino=20141882 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir 
----
type=PATH msg=audit(01/21/2014 22:09:41.738:826) : item=0 name=/root/.config/pulse/52107acb55482f46398d06f35ed37412-runtime inode=25676480 dev=fd:03 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.738:826) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.738:826) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0xdd39b0 a1=0x7fff5c60d210 a2=0x7fff5c60d210 a3=0x6e75722d32313437 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.738:826) : avc:  denied  { getattr } for  pid=7295 comm=sd_espeak path=/root/.config/pulse/52107acb55482f46398d06f35ed37412-runtime dev="vda3" ino=25676480 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=lnk_file 
----
type=PATH msg=audit(01/21/2014 22:09:41.745:827) : item=0 name=/etc/resolv.conf inode=8820765 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/21/2014 22:09:41.745:827) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.745:827) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f6c9fd9f448 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=1 ppid=7293 pid=7300 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_festival exe=/usr/lib64/speech-dispatcher-modules/sd_festival subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.745:827) : avc:  denied  { open } for  pid=7300 comm=sd_festival path=/etc/resolv.conf dev="vda3" ino=8820765 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
type=AVC msg=audit(01/21/2014 22:09:41.745:827) : avc:  denied  { read } for  pid=7300 comm=sd_festival name=resolv.conf dev="vda3" ino=8820765 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.746:828) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xd a1=0x7fff407a3c30 a2=0x7fff407a3c30 a3=0x0 items=0 ppid=7293 pid=7300 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_festival exe=/usr/lib64/speech-dispatcher-modules/sd_festival subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.746:828) : avc:  denied  { getattr } for  pid=7300 comm=sd_festival path=/etc/resolv.conf dev="vda3" ino=8820765 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
----
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=4 name=(null) inode=17582883 dev=fd:03 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE 
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=3 name=(null) inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=1 name=(null) inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=0 name=(null) inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(01/21/2014 22:09:41.755:829) : saddr=local /root/.speech-dispatcher/speechd.sock 
type=SYSCALL msg=audit(01/21/2014 22:09:41.755:829) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xf a1=0x7fff12a32bb0 a2=0x27 a3=0x7fff12a32970 items=5 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.755:829) : avc:  denied  { create } for  pid=7293 comm=speech-dispatch name=speechd.sock scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=sock_file 
----
type=PATH msg=audit(01/21/2014 22:09:41.759:831) : item=1 name=/root/.speech-dispatcher/pid/speech-dispatcher.pid inode=25676487 dev=fd:03 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=DELETE 
type=PATH msg=audit(01/21/2014 22:09:41.759:831) : item=0 name=/root/.speech-dispatcher/pid/ inode=25179993 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=CWD msg=audit(01/21/2014 22:09:41.759:831) :  cwd=/ 
type=SYSCALL msg=audit(01/21/2014 22:09:41.759:831) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x1049900 a1=0x2 a2=0x7fff12a32ba0 a3=0x7fff12a32a10 items=2 ppid=1 pid=7303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(01/21/2014 22:09:41.759:831) : avc:  denied  { unlink } for  pid=7303 comm=speech-dispatch name=speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(01/21/2014 22:09:41.759:831) : avc:  denied  { remove_name } for  pid=7303 comm=speech-dispatch name=speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
----

I'm surprised that speech-dispatcher (in default configuration) uses /root/.speech-dispatcher directory for storing PID and log files.

Comment 3 Ludek Smid 2014-06-26 10:49:32 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Comment 4 Ludek Smid 2014-06-26 11:14:53 UTC

The comment above is incorrect. The correct version is bellow.
I'm sorry for any inconvenience.
---------------------------------------------------------------

This request was NOT resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you need
to escalate this bug.

Comment 5 Milos Malik 2014-09-28 09:42:46 UTC

# rpm -qa speech\* selinux\* | sort
selinux-policy-3.12.1-153.el7_0.11.noarch
selinux-policy-devel-3.12.1-153.el7_0.11.noarch
selinux-policy-sandbox-3.12.1-153.el7_0.11.noarch
selinux-policy-targeted-3.12.1-153.el7_0.11.noarch
speech-dispatcher-0.7.1-15.el7
#

Following AVC appeared in enforcing mode:
----
type=PATH msg=audit(09/28/2014 05:40:28.984:1057) : item=1 name=/root/.speech-dispatcher objtype=CREATE 
type=PATH msg=audit(09/28/2014 05:40:28.984:1057) : item=0 name=/root/ inode=67160193 dev=fd:01 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT 
type=CWD msg=audit(09/28/2014 05:40:28.984:1057) :  cwd=/ 
type=SYSCALL msg=audit(09/28/2014 05:40:28.984:1057) : arch=s390x syscall=mkdir success=no exit=-13(Permission denied) a0=0x8ddbbc70 a1=0700 a2=0x80007888 a3=0x0 items=2 ppid=1 pid=38076 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null) 
type=AVC msg=audit(09/28/2014 05:40:28.984:1057) : avc:  denied  { dac_override } for  pid=38076 comm=speech-dispatch capability=dac_override  scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:system_r:speech-dispatcher_t:s0 tclass=capability 
----

Comment 6 Lukas Vrabec 2014-09-29 10:15:40 UTC

Hi Mirek, 

Please check:
https://bugzilla.redhat.com/show_bug.cgi?id=1042890

Probably we don't want policy for speech-dispatcher.

Comment 9 Lukas Vrabec 2015-07-09 09:11:25 UTC

Moving to 7.3. 
We must create policy in fedora first.

Comment 11 Lukas Vrabec 2016-04-05 15:53:10 UTC

From rhbz#1042890 comment2:
"Running speech-dispatcher as a system service doesn't make sense since we ship it configured (in /etc/speech-dispatcher/speechd.conf) to auto-spawn a user instance whenever the client side library needs it."

I closing this issue as WONTFIX, because it doesn't make sance to run speech-dispatcher as a service, so new policy is not necessary.

Note You need to log in before you can comment on or make changes to this bug.