Bug 438215 - pulseaudio being setuid is a problem for SELinux.
Summary: pulseaudio being setuid is a problem for SELinux.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: pulseaudio
Version: 11
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Lennart Poettering
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 439313 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-19 18:20 UTC by Daniel Walsh
Modified: 2018-04-11 15:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-06-29 14:15:11 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Daniel Walsh 2008-03-19 18:20:37 UTC
Description of problem:

Is there any reason why this app is setuid by default?  Is this still necessary,
unprivledged logins and programs like gdm are starting to run pulseaudio, and I
don't want to give these types setuid privledges, just to play sound.

Comment 1 Daniel Walsh 2008-03-19 18:23:35 UTC
SELinux errors.

Raw AVCs:

type=AVC msg=audit(1205942922.741:13): avc:  denied  { getcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942922.741:13): arch=40000003 syscall=184
success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942922.744:14): avc:  denied  { setcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942922.744:14): arch=40000003 syscall=185
success=no exit=-13 a0=8b0a45c a1=8b0a464 a2=9340f0 a3=8b0a45c items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942922.849:15): avc:  denied  { getcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942922.849:15): arch=40000003 syscall=184
success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.073:16): avc:  denied  { getcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942923.073:16): arch=40000003 syscall=184
success=no exit=-13 a0=8b0b334 a1=0 a2=9340f0 a3=8b0b330 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.073:17): avc:  denied  { setcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942923.073:17): arch=40000003 syscall=185
success=no exit=-13 a0=8b0b334 a1=8b0b33c a2=9340f0 a3=0 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.844:18): avc:  denied  { read } for
pid=2690 comm="pulseaudio" name="default.conf" dev=dm-0 ino=11075891
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1205942923.844:18): arch=40000003 syscall=5
success=no exit=-13 a0=8b1ded8 a1=0 a2=1b6 a3=0 items=0 ppid=1
pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.936:19): avc:  denied  { write } for
pid=2690 comm="pulseaudio" path="anon_inode:[eventfd]"
dev=anon_inodefs ino=138
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1205942923.936:19): arch=40000003 syscall=4
success=no exit=-13 a0=c a1=bfc4fff8 a2=8 a3=8b149b8 items=0 ppid=1
pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)



Comment 2 Daniel Walsh 2008-03-19 18:24:20 UTC
THis is what gets written to /var/log/messages

Raw AVCs:

type=AVC msg=audit(1205942922.741:13): avc:  denied  { getcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942922.741:13): arch=40000003 syscall=184
success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942922.744:14): avc:  denied  { setcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942922.744:14): arch=40000003 syscall=185
success=no exit=-13 a0=8b0a45c a1=8b0a464 a2=9340f0 a3=8b0a45c items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942922.849:15): avc:  denied  { getcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942922.849:15): arch=40000003 syscall=184
success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.073:16): avc:  denied  { getcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942923.073:16): arch=40000003 syscall=184
success=no exit=-13 a0=8b0b334 a1=0 a2=9340f0 a3=8b0b330 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.073:17): avc:  denied  { setcap } for
pid=2690 comm="pulseaudio"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1205942923.073:17): arch=40000003 syscall=185
success=no exit=-13 a0=8b0b334 a1=8b0b33c a2=9340f0 a3=0 items=0
ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.844:18): avc:  denied  { read } for
pid=2690 comm="pulseaudio" name="default.conf" dev=dm-0 ino=11075891
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1205942923.844:18): arch=40000003 syscall=5
success=no exit=-13 a0=8b1ded8 a1=0 a2=1b6 a3=0 items=0 ppid=1
pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1205942923.936:19): avc:  denied  { write } for
pid=2690 comm="pulseaudio" path="anon_inode:[eventfd]"
dev=anon_inodefs ino=138
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1205942923.936:19): arch=40000003 syscall=4
success=no exit=-13 a0=c a1=bfc4fff8 a2=8 a3=8b149b8 items=0 ppid=1
pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio"
exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
key=(null)



And sound seems to work...

Comment 3 Lubomir Kundrak 2008-03-19 21:08:27 UTC
Dan: The reason it that it attempts to use RT priority.

I had already  expressed an opinion that this is a bad security practice and
that it is not needed for most uses. I had been proposing the setuid bit removal
and relying on limits.conf for RT priotity limits instead.

Setting as a F9Blocker until we get either positive or negative (with
explanation) reply, and I'll try to ping Lennart as I am aware that he doesn't
have much time for Bugzilla tickets.

Comment 4 Lennart Poettering 2008-03-28 17:46:45 UTC
The difference between setting PA suid root and generally increasing the rlimit
with limits.conf is that the latter will allow users to get rtprio for *all*
their processes, while the former only opens rtprio for PA and nothing else. 

This distinction is not overly important however, because as soon has PA gained
RT and dropped root, it becomes a process like any other owned by the user which
then might be used to leak rtprio to other processes.

Then, having this SUID stuff in place also enables us to hook into policykit in
a sane way.

In the long run we can hopefully drop support for rt sched and instead rely on
(the much less security relevant) isochronous scheduling, but that's not
available in the kernel yet.

I'd like to keep the current SUIDness of PA the way it is, until we can get rid
of it in a sane way bei either having the ability to sanely supervise RT
processes or we get isochronous sched.

Comment 5 Lennart Poettering 2008-03-28 18:00:10 UTC
An alternative would be to add the CAP_SYS_NICE file capability to the PA
binary. However, I have no experience with this and if it even works in RPM and
stuff. This would also need some minor changes in the PA startup code because
right now it checks for SUID not for CAP_SYS_NICE.

Comment 6 Ray Strode [halfline] 2008-03-28 19:04:45 UTC
Hi Lennart,

So the situation is

1) gdm greeter can't run setuid binaries
2) gdm greeter wants sound
3) we aren't using pa's rt support in fedora 9, yea?

Given those 3 things (and correct me if you think of any of them are wrong), can
you just remove the setuid binary for f9 and we can revisit for rawhide
immediately after?

Comment 7 Lennart Poettering 2008-03-28 19:27:24 UTC
oh, i wouldn't claim that "we aren't using pa's rt support in f9". It's just a
matter of toggling a few checkboxes in the polkit gui.

I am not sure I get why SELinux cannot be fixed to allow gdm greeter to run PA
with SUID?

An alternative would be to run PA manuyll through /lib/ld.so which causes the
SUID bit to be ignored.

Comment 8 Ray Strode [halfline] 2008-03-28 19:38:17 UTC
Dan, can selinux make binaries that would get run setuid run unprivileged (but
still run)?

Comment 9 Lennart Poettering 2008-03-28 20:56:06 UTC
*** Bug 439313 has been marked as a duplicate of this bug. ***

Comment 10 Daniel Walsh 2008-03-28 21:09:21 UTC
well this seems to be a circular argument.  You only need policykit if the app
is setuid.  We have somewhat established that most people do not need it setuid.
 So why not just ship without setuid and let an admin set it setuid if he really
needs it, in which case he will need the policykit for approval.  The app is
running which is why it is getting a getcap and setcap failure.  I thing
pulseaudio is failing when it gets those failures so it errors out.

xdm currently has setuid because it sets the uid of users,  so pulseaudio gets
to the point of getcap and setcap before it fails.  If pulseaudio would not fail
when it can't getcap/setcap we could dontaudit it and leave the code alone.  I
can allow xdm getcap/setcap for now until pulseaudio gets straightened out.



Comment 11 Lennart Poettering 2008-03-28 23:32:35 UTC
Why is getcap forbidden? Sounds like security through obscurity to me?

Does the SELinux policy forbid calling of setcap in its entirety? What is the
point of that? It should allow calling setcap for lowering the capabilities.



Comment 12 Daniel Walsh 2008-03-29 12:02:28 UTC
Well now that I think about it more, it is probably more secure to allow
pulseaudit to lower its capabilities.  Since xdm is already setuid, pulseaudio
has the ability to do things as root.

Where as for normal confined users it will not.

Comment 13 Ray Strode [halfline] 2008-03-30 05:10:57 UTC
the gdm greeter doesn't run as root.

Comment 14 Daniel Walsh 2008-03-30 05:27:36 UTC
It has the setuid capability so when it runs a setuid app, the app runs as root.

Comment 15 Ray Strode [halfline] 2008-03-30 14:25:26 UTC
oh i get you know.  You mean setuid pulseaudio running as xdm_t runs as root so
should be allowed to drop capabilities.

Comment 16 Lennart Poettering 2008-04-02 16:24:46 UTC
So, what does this mean for our problem now?

Comment 17 Jesse Keating 2008-04-03 18:51:05 UTC
Dan, are things cleared up on the Policy side?

Comment 18 Daniel Walsh 2008-04-04 20:13:48 UTC
It means the policy will allow it, but it should still not be setuid.

Lets fix the problem that is forcing it to be setuid.

Comment 19 Jesse Keating 2008-04-04 20:29:32 UTC
Ok, so if policy is going to allow it for F9, I'm going to remove this from the
Blocker tracker.

Comment 20 Michael Martin 2008-04-05 00:53:58 UTC
Any use of the flash plugin in the stock F9 beta Live spin produces identical
AVC traps.

Comment 21 Daniel Walsh 2008-04-06 09:39:25 UTC
Michael please report this bug in a separate bugzilla, And I am sure the AVC
messages are not identical.   Flash Plugin is not trying to set capabilities.

Comment 22 Bug Zapper 2008-05-14 06:44:13 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 23 Lennart Poettering 2008-12-18 14:29:34 UTC
BTW, instead of having PA suid we could use file capabilities to give it only CAP_SYS_NICE and nothing else. Not sure what the policy on file caps is on fedora right now, though.

Comment 24 Bug Zapper 2009-06-09 23:48:24 UTC
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 25 Daniel Walsh 2009-06-10 10:27:48 UTC
F11 Does pulseaudio stil need to be setuid?

Comment 26 Matěj Cepl 2009-06-10 14:31:36 UTC
I don't know if it has to be, but it surely is:

bradford:~$ ls -l /usr/bin/pulseaudio 
-rwsr-xr-x. 1 root root 101328 22. dub 23.04 /usr/bin/pulseaudio
bradford:~$

Comment 27 Lennart Poettering 2009-06-10 16:22:13 UTC
(In reply to comment #25)
> F11 Does pulseaudio stil need to be setuid?  

Yes

Comment 28 Daniel Walsh 2009-06-10 19:25:24 UTC
Why?

Comment 29 Lennart Poettering 2009-06-10 21:14:23 UTC
(In reply to comment #28)
> Why?  

The reasons haven't changed: so that we can enable realtime scheduling if this is enabled.

Comment 30 Lennart Poettering 2009-06-29 14:15:11 UTC
PA in Rawhide now isn't suid anymore, since it gets rt sched via rtkit, and can hence run entirely unpriviliged.


Note You need to log in before you can comment on or make changes to this bug.