Bug 1298432 - SELinux denies acpid ability to run 'pactl' command
Summary: SELinux denies acpid ability to run 'pactl' command
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-14 05:23 UTC by John W
Modified: 2016-07-19 20:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 20:45:24 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description John W 2016-01-14 05:23:06 UTC 
Description of problem:
Note: This is very similar to bug 1293744, just for a different command.


Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. Set up an acpi handler and corresponding script
2. Have that script try to use 'pactl' to alter the mute status, etc.

Actual Results:  
The script fails, if SELinux is being enforced.

Expected Results:  
The script succeeds, just as it does when SELinux is disabled ("setenforce 0")

With the below local policy, it works as expected - I can, for instance, change the mute status as a result of an acpi event (such as pressing a special key on my keyboard).

There were quite a lot of AVC denial log messages, and some info that is private for my system, so I have not included those.

However, the .te file that audit2allow created is below:

------------


module allow_acpid_access_sudo_pactl 1.0;

require {
	type user_tmp_t;
	type unconfined_t;
	type config_home_t;
	type user_home_dir_t;
	type systemd_logind_sessions_t;
	type apmd_t;
	type tmpfs_t;
	type pulseaudio_home_t;
	class fifo_file write;
	class process { setsched setcap setrlimit };
	class unix_stream_socket connectto;
	class capability { setuid dac_read_search sys_resource setgid net_admin dac_override };
	class file { read lock create write getattr unlink open };
	class sock_file write;
	class dir { search setattr read write getattr rmdir remove_name open add_name };
}

#============= apmd_t ==============

allow apmd_t config_home_t:dir search;
allow apmd_t pulseaudio_home_t:dir search;
allow apmd_t pulseaudio_home_t:file { read lock getattr open };
allow apmd_t self:capability { setuid dac_read_search sys_resource setgid net_admin dac_override };
allow apmd_t self:process { setsched setrlimit setcap };
allow apmd_t systemd_logind_sessions_t:fifo_file write;
allow apmd_t tmpfs_t:dir { read write add_name remove_name };
allow apmd_t tmpfs_t:file { write getattr read create unlink open };

#!!!! The file '/run/user/1000/pulse/native' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /run/user/1000/pulse/native
allow apmd_t unconfined_t:unix_stream_socket connectto;

allow apmd_t user_home_dir_t:dir search;
allow apmd_t user_tmp_t:dir { search setattr read write getattr rmdir remove_name open };
allow apmd_t user_tmp_t:file open;
allow apmd_t user_tmp_t:sock_file write;


------------

Additional info:

Original discussion of why I am attempting to do this in the first place is on this pulseaudio thread: http://lists.freedesktop.org/archives/pulseaudio-discuss/2015-December/025060.html
Comment 1 Fedora End Of Life 2016-07-19 20:45:24 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.