Hi! As of Fedora 38 running applications via SELinux "sandbox" does not support audio anymore. For example, attempting to run 'mpg123' in a sandboxed xterm now fails with a <snip> [src/libout123/modules/alsa.c:open_alsa():181] error: cannot open device default [src/libout123/libout123.c:check_output_module():947] error: Module 'alsa' device open failed. [src/libout123/libout123.c:out123_open():439] error: Found no driver out of [alsa] working with device <default>. main: [src/mpg123.c:check_fatal_output():334] error: out123 error 3: failure loading driver module <snap> It appears that "sandbox" is not permitted to sufficiently communicate with dbus anymore, as the following log is observed when executing applications (such as mpg123 or firefox) via sandbox: <snip> Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1. Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1. <snap> The sandboxed applications are invoked via "sandbox -X -t sandbox_net_t -t sandbox_web_t <command>". The observed issue is consistent with other reports in the community such as "SElinux sandboxed firefox has no audio playback in Fedora 38" [1] or "SELinux sandboxed firefox has no audio" [2]. Cheers, Timo [1] https://www.reddit.com/r/Fedora/comments/13ftmpk/selinux_sandboxed_firefox_has_no_audio_playback/ [2] https://unix.stackexchange.com/questions/747029/selinux-sandboxed-firefox-has-no-audio Reproducible: Always Steps to Reproduce: 1. Open a terminal. 2. Run "sandbox -X -t sandbox_net_t -t sandbox_web_t xterm" and run "mpg123 file.mp3" within Sandbox, OR 2.1 Run "sandbox -X -t sandbox_net_t -t sandbox_web_t firefox" and open a Youtube video. Actual Results: No sound. Errors observed: <snip> [src/libout123/modules/alsa.c:open_alsa():181] error: cannot open device default [src/libout123/libout123.c:check_output_module():947] error: Module 'alsa' device open failed. [src/libout123/libout123.c:out123_open():439] error: Found no driver out of [alsa] working with device <default>. main: [src/mpg123.c:check_fatal_output():334] error: out123 error 3: failure loading driver module <snap> It appears that "sandbox" is not permitted to sufficiently communicate with dbus anymore, as the following log is observed when executing applications (such as mpg123 or firefox) via sandbox: <snip> Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1. Jun 13 13:00:10 xxxxxxxxx.xxxxxxxxxxx dbus-broker[2243]: A security policy denied :1.365 to send method call /org/freedesktop/RealtimeKit1:org.freedesktop.DBus.Properties.Get to org.freedesktop.RealtimeKit1. <snap> Expected Results: SELinux sandboxed applications able to communicate with audio device (i.e. appropriate dbus permissions).
Timo, We hardly ever remove existing permissions in selinux-policy. Can you track down on which system the same scenario was working, e.g. F37, and if it was dependent on some other components version? Can you also share AVC denials you get? Does the same scenario work in SELinux permissive mode?
Hi Zdenek, It happens on a vanilla, freshly installed F38 desktop with all the latest updates (and recently on F37 as well, with all the latest updates). I have no meaningful AVC denials to share at this point - not sure where to start troubleshooting. In essence what's described here: https://www.reddit.com/r/Fedora/comments/13ftmpk/selinux_sandboxed_firefox_has_no_audio_playback/ https://unix.stackexchange.com/questions/747029/selinux-sandboxed-firefox-has-no-audio Cheers, Timo
Timo, We need to see AVC denials from audit logs or journal to move further. Are you sure this is SELinux related? If yes, you can try to disable dontaudit rules: # semodule -DB <reproduce> # semodule -B # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.