Description of problem: Note: This is very similar to bug 1293744, just for a different command. Version-Release number of selected component (if applicable): Steps to Reproduce: 1. Set up an acpi handler and corresponding script 2. Have that script try to use 'pactl' to alter the mute status, etc. Actual Results: The script fails, if SELinux is being enforced. Expected Results: The script succeeds, just as it does when SELinux is disabled ("setenforce 0") With the below local policy, it works as expected - I can, for instance, change the mute status as a result of an acpi event (such as pressing a special key on my keyboard). There were quite a lot of AVC denial log messages, and some info that is private for my system, so I have not included those. However, the .te file that audit2allow created is below: ------------ module allow_acpid_access_sudo_pactl 1.0; require { type user_tmp_t; type unconfined_t; type config_home_t; type user_home_dir_t; type systemd_logind_sessions_t; type apmd_t; type tmpfs_t; type pulseaudio_home_t; class fifo_file write; class process { setsched setcap setrlimit }; class unix_stream_socket connectto; class capability { setuid dac_read_search sys_resource setgid net_admin dac_override }; class file { read lock create write getattr unlink open }; class sock_file write; class dir { search setattr read write getattr rmdir remove_name open add_name }; } #============= apmd_t ============== allow apmd_t config_home_t:dir search; allow apmd_t pulseaudio_home_t:dir search; allow apmd_t pulseaudio_home_t:file { read lock getattr open }; allow apmd_t self:capability { setuid dac_read_search sys_resource setgid net_admin dac_override }; allow apmd_t self:process { setsched setrlimit setcap }; allow apmd_t systemd_logind_sessions_t:fifo_file write; allow apmd_t tmpfs_t:dir { read write add_name remove_name }; allow apmd_t tmpfs_t:file { write getattr read create unlink open }; #!!!! The file '/run/user/1000/pulse/native' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /run/user/1000/pulse/native allow apmd_t unconfined_t:unix_stream_socket connectto; allow apmd_t user_home_dir_t:dir search; allow apmd_t user_tmp_t:dir { search setattr read write getattr rmdir remove_name open }; allow apmd_t user_tmp_t:file open; allow apmd_t user_tmp_t:sock_file write; ------------ Additional info: Original discussion of why I am attempting to do this in the first place is on this pulseaudio thread: http://lists.freedesktop.org/archives/pulseaudio-discuss/2015-December/025060.html
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.