2290363 – Pulseaudio is denied mapping a file in /run/pulse

Bug 2290363 - Pulseaudio is denied mapping a file in /run/pulse

Summary: Pulseaudio is denied mapping a file in /run/pulse

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-06-04 12:13 UTC by Göran Uddeborg
Modified:	2024-06-12 01:11 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-40.22-1.fc40
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-06-12 01:11:39 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
My service file to start the pulseaudio server (331 bytes, text/x-systemd-unit) 2024-06-04 12:13 UTC, Göran Uddeborg	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2148	0	None	open	Allow pulseaudio map its runtime files	2024-06-04 14:10:02 UTC

Description Göran Uddeborg 2024-06-04 12:13:47 UTC

Created attachment 2036251 [details]
My service file to start the pulseaudio server

Description of problem:
I have what you could call a "sound server". It is a machine having a USB sound device that other machines in the local network can connect to and play on. I do this by starting the pulseaudio server in "system mode".

Doing so I get the error that SELinux prevents "alsa-sing-USB A" from the map access on a file named /run/pulse/orcexec.Tw9Ifn. (The last 6 characters of course vary for each execution.)

Version-Release number of selected component (if applicable):
pulseaudio-16.1-7.fc40.x86_64
selinux-policy-targeted-40.20-1.fc40.noarch


How reproducible:
Every start

Steps to Reproduce:
1.Activate pulseaudio in system mode via systemd (my service file is attached)

Actual results:
type=AVC msg=audit(1717356971.313:861): avc:  denied  { map } for  pid=831 comm=616C73612D73696E6B2D5553422041 path=2F72756E2F70756C73652F6F7263657865632E54773949666E202864656C6574656429 dev="tmpfs" ino=2349 scontext=system_u:system_r:pulseaudio_t:s0 tcontext=system_u:object_r:pulseaudio_var_run_t:s0 tclass=file permissive=0

Expected results:
No avc violations.

Additional info:
orcexec files are apparently created using liborc to make some JIT code. It seems to make sense for pulseaudio_t to be able to map files it has generated when they have the type pulseaudio_var_run_t.

Comment 1 Zdenek Pytela 2024-06-04 14:10:03 UTC

Makes sense to allow it as all other permissions are already there.

Comment 2 Fedora Update System 2024-06-10 10:44:22 UTC

FEDORA-2024-9fae7e7b23 (selinux-policy-40.22-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-9fae7e7b23

Comment 3 Fedora Update System 2024-06-11 04:16:01 UTC

FEDORA-2024-9fae7e7b23 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-9fae7e7b23`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-9fae7e7b23

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2024-06-12 01:11:39 UTC

FEDORA-2024-9fae7e7b23 (selinux-policy-40.22-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.