Bug 375241 - SELinux is preventing /usr/bin/sox (xdm_t) "read" to (sound_device_t)
SELinux is preventing /usr/bin/sox (xdm_t) "read" to (sound_device_t)
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-10 19:49 EST by John
Modified: 2008-01-30 14:19 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:19:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John 2007-11-10 19:49:01 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20071030 Fedora/ Firefox/

Description of problem:
    SELinux is preventing /usr/bin/sox (xdm_t) "read" to <Unknown>

Detailed Description
    SELinux denied access requested by /usr/bin/sox. It is not expected that
    this access is required by /usr/bin/sox and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sound_device_t:s0
Target Objects                None [ chr_file ]
Affected RPM Packages         sox-13.0.0-3.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     heatherb.hedntay.com
Platform                      Linux heatherb.hedntay.com 2.6.21-2950.fc8xen #1
                              SMP Tue Oct 23 12:24:34 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Sat 10 Nov 2007 01:21:05 PM PST
Last Seen                     Sat 10 Nov 2007 01:21:05 PM PST
Local ID                      9aa0e848-e49b-45fb-8556-9cbfd5573b24
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=play dev=tmpfs egid=0 euid=0 exe=/usr/bin/sox
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=controlC0 pid=2928
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:sound_device_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Call anything that uses sound

Actual Results:
get message in summary and no sound allowed

Expected Results:
a beep a sound of some kind

Additional info:
System working, just no sound
Comment 1 John 2007-11-10 20:02:54 EST
Steps to Reproduce should read:
1. Call firefox

...but calling anything that uses sound also gives SELinux alert
Comment 2 Daniel Walsh 2007-11-12 10:40:30 EST
What is the context that you are logged in as?

id -Z

If it is xdm_t, you look to have a very badly labeled system.

touch /.autorelabel; reboot 

should clean it up.

Comment 3 John 2007-11-12 13:21:56 EST
Tried 1. updating software
      2. suggestion in comment #2

Neither solved problem.

Sound card detection sees card and test works, however when trying to click on 
preferences in speaker icon on panel, says it does not see card.
Comment 4 Daniel Walsh 2007-11-12 18:19:28 EST
Are you still seeing avc's?  Please attach /var/log/audit/audit.log?

If you put the machine in permissive mode does the sound work?
Comment 5 John 2007-11-13 01:48:25 EST
no audit.log in that dir.

sound still does not work in permissive mode

Comment 6 Daniel Walsh 2007-11-13 15:36:38 EST
I think SELinux is not the problem here as far as sound working on your machine.

I will allow xdm to read/write the sound device 

Fixed in selinux-policy-3.0.8-54.fc8
Comment 7 Daniel Walsh 2008-01-30 14:19:20 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.