Bug 1159241 - SELinux is preventing /usr/bin/pulseaudio from 'execute' accesses on the file .
Summary: SELinux is preventing /usr/bin/pulseaudio from 'execute' accesses on the file .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:09aeec6678536d1e9a3547f2e01...
: 1159242 1159243 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-31 09:50 UTC by Cesar Eduardo Barros
Modified: 2014-11-10 06:21 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.12.1-193.fc20
Clone Of:
Environment:
Last Closed: 2014-11-10 06:21:41 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Cesar Eduardo Barros 2014-10-31 09:50:43 UTC
Description of problem:
Pressed the "volume down" key in the keyboard, while on a selinux-restricted user (user_u). The resulting crash was appended to https://bugzilla.redhat.com/show_bug.cgi?id=1101073 by ABRT.
SELinux is preventing /usr/bin/pulseaudio from 'execute' accesses on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If você acredita que o pulseaudio deva ser permitido acesso de execute em  file  por default.
Then você precisa reportar este como um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso agora executando:
# grep 616C73612D73696E6B2D48444D4920 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                user_u:user_r:pulseaudio_t:s0
Target Context                user_u:object_r:user_tmp_t:s0
Target Objects                 [ file ]
Source                        616C73612D73696E6B2D48444D4920
Source Path                   /usr/bin/pulseaudio
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pulseaudio-5.0-7.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-192.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.6-203.fc20.x86_64 #1 SMP Sat
                              Oct 25 12:44:32 UTC 2014 x86_64 x86_64
Alert Count                   8
First Seen                    2014-10-31 07:22:19 BRST
Last Seen                     2014-10-31 07:22:30 BRST
Local ID                      cc9773bb-e883-45bd-b03d-76c8e40caf2b

Raw Audit Messages
type=AVC msg=audit(1414747350.949:530): avc:  denied  { execute } for  pid=7783 comm=616C73612D73696E6B2D48444D4920 path=2F746D702F6F7263657865632E527A50546968202864656C6574656429 dev="tmpfs" ino=160116 scontext=user_u:user_r:pulseaudio_t:s0 tcontext=user_u:object_r:user_tmp_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1414747350.949:530): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=10000 a2=5 a3=1 items=0 ppid=1 pid=7783 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=8 comm=616C73612D73696E6B2D48444D4920 exe=/usr/bin/pulseaudio subj=user_u:user_r:pulseaudio_t:s0 key=(null)

Hash: 616C73612D73696E6B2D48444D4920,pulseaudio_t,user_tmp_t,file,execute

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.6-203.fc20.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2014-11-03 10:06:18 UTC
*** Bug 1159243 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2014-11-03 10:06:30 UTC
*** Bug 1159242 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2014-11-03 10:09:02 UTC
Hi,

Look at the comm and path, this values are weird. This happened just once? It's broken something in your system related to pulseaudio?

Comment 4 Miroslav Grepl 2014-11-03 11:18:09 UTC
Lukas,
we allow it in F21.

#============= pulseaudio_t ==============

#!!!! This avc is allowed in the current policy
allow pulseaudio_t user_tmp_t:file execute;

Comment 5 Lukas Vrabec 2014-11-03 11:38:43 UTC
commit 9659b435aef194f7ea4719f408f7d7e1d4461ef8
Author: Dan Walsh <dwalsh>
Date:   Fri Oct 17 10:01:42 2014 -0400

    xserver_manage_xdm_tmp_files is depracated and replaced with userdom_manage_user_tmp_files, pulseaudio needs to execute user_tmp_t to run bluejeans

Comment 6 Fedora Update System 2014-11-03 16:41:50 UTC
selinux-policy-3.12.1-193.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-193.fc20

Comment 7 Cesar Eduardo Barros 2014-11-03 21:57:41 UTC
(In reply to Lukas Vrabec from comment #3)
> Hi,
> 
> Look at the comm and path, this values are weird. This happened just once?
> It's broken something in your system related to pulseaudio?

I could reproduce it. I don't know if anything broke, I don't use audio with that user account (I pressed the volume down key by mistake).

Comment 8 Fedora Update System 2014-11-05 03:54:08 UTC
Package selinux-policy-3.12.1-193.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-193.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14228/selinux-policy-3.12.1-193.fc20
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-11-10 06:21:41 UTC
selinux-policy-3.12.1-193.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.