Description of problem: Is there any reason why this app is setuid by default? Is this still necessary, unprivledged logins and programs like gdm are starting to run pulseaudio, and I don't want to give these types setuid privledges, just to play sound.
SELinux errors. Raw AVCs: type=AVC msg=audit(1205942922.741:13): avc: denied { getcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942922.741:13): arch=40000003 syscall=184 success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942922.744:14): avc: denied { setcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942922.744:14): arch=40000003 syscall=185 success=no exit=-13 a0=8b0a45c a1=8b0a464 a2=9340f0 a3=8b0a45c items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942922.849:15): avc: denied { getcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942922.849:15): arch=40000003 syscall=184 success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.073:16): avc: denied { getcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942923.073:16): arch=40000003 syscall=184 success=no exit=-13 a0=8b0b334 a1=0 a2=9340f0 a3=8b0b330 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.073:17): avc: denied { setcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942923.073:17): arch=40000003 syscall=185 success=no exit=-13 a0=8b0b334 a1=8b0b33c a2=9340f0 a3=0 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.844:18): avc: denied { read } for pid=2690 comm="pulseaudio" name="default.conf" dev=dm-0 ino=11075891 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file type=SYSCALL msg=audit(1205942923.844:18): arch=40000003 syscall=5 success=no exit=-13 a0=8b1ded8 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.936:19): avc: denied { write } for pid=2690 comm="pulseaudio" path="anon_inode:[eventfd]" dev=anon_inodefs ino=138 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=SYSCALL msg=audit(1205942923.936:19): arch=40000003 syscall=4 success=no exit=-13 a0=c a1=bfc4fff8 a2=8 a3=8b149b8 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
THis is what gets written to /var/log/messages Raw AVCs: type=AVC msg=audit(1205942922.741:13): avc: denied { getcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942922.741:13): arch=40000003 syscall=184 success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942922.744:14): avc: denied { setcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942922.744:14): arch=40000003 syscall=185 success=no exit=-13 a0=8b0a45c a1=8b0a464 a2=9340f0 a3=8b0a45c items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=0 suid=0 fsuid=0 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942922.849:15): avc: denied { getcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942922.849:15): arch=40000003 syscall=184 success=no exit=-13 a0=8b0a45c a1=0 a2=9340f0 a3=8b0a458 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.073:16): avc: denied { getcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942923.073:16): arch=40000003 syscall=184 success=no exit=-13 a0=8b0b334 a1=0 a2=9340f0 a3=8b0b330 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.073:17): avc: denied { setcap } for pid=2690 comm="pulseaudio" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1205942923.073:17): arch=40000003 syscall=185 success=no exit=-13 a0=8b0b334 a1=8b0b33c a2=9340f0 a3=0 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.844:18): avc: denied { read } for pid=2690 comm="pulseaudio" name="default.conf" dev=dm-0 ino=11075891 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file type=SYSCALL msg=audit(1205942923.844:18): arch=40000003 syscall=5 success=no exit=-13 a0=8b1ded8 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1205942923.936:19): avc: denied { write } for pid=2690 comm="pulseaudio" path="anon_inode:[eventfd]" dev=anon_inodefs ino=138 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=SYSCALL msg=audit(1205942923.936:19): arch=40000003 syscall=4 success=no exit=-13 a0=c a1=bfc4fff8 a2=8 a3=8b149b8 items=0 ppid=1 pid=2690 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) And sound seems to work...
Dan: The reason it that it attempts to use RT priority. I had already expressed an opinion that this is a bad security practice and that it is not needed for most uses. I had been proposing the setuid bit removal and relying on limits.conf for RT priotity limits instead. Setting as a F9Blocker until we get either positive or negative (with explanation) reply, and I'll try to ping Lennart as I am aware that he doesn't have much time for Bugzilla tickets.
The difference between setting PA suid root and generally increasing the rlimit with limits.conf is that the latter will allow users to get rtprio for *all* their processes, while the former only opens rtprio for PA and nothing else. This distinction is not overly important however, because as soon has PA gained RT and dropped root, it becomes a process like any other owned by the user which then might be used to leak rtprio to other processes. Then, having this SUID stuff in place also enables us to hook into policykit in a sane way. In the long run we can hopefully drop support for rt sched and instead rely on (the much less security relevant) isochronous scheduling, but that's not available in the kernel yet. I'd like to keep the current SUIDness of PA the way it is, until we can get rid of it in a sane way bei either having the ability to sanely supervise RT processes or we get isochronous sched.
An alternative would be to add the CAP_SYS_NICE file capability to the PA binary. However, I have no experience with this and if it even works in RPM and stuff. This would also need some minor changes in the PA startup code because right now it checks for SUID not for CAP_SYS_NICE.
Hi Lennart, So the situation is 1) gdm greeter can't run setuid binaries 2) gdm greeter wants sound 3) we aren't using pa's rt support in fedora 9, yea? Given those 3 things (and correct me if you think of any of them are wrong), can you just remove the setuid binary for f9 and we can revisit for rawhide immediately after?
oh, i wouldn't claim that "we aren't using pa's rt support in f9". It's just a matter of toggling a few checkboxes in the polkit gui. I am not sure I get why SELinux cannot be fixed to allow gdm greeter to run PA with SUID? An alternative would be to run PA manuyll through /lib/ld.so which causes the SUID bit to be ignored.
Dan, can selinux make binaries that would get run setuid run unprivileged (but still run)?
*** Bug 439313 has been marked as a duplicate of this bug. ***
well this seems to be a circular argument. You only need policykit if the app is setuid. We have somewhat established that most people do not need it setuid. So why not just ship without setuid and let an admin set it setuid if he really needs it, in which case he will need the policykit for approval. The app is running which is why it is getting a getcap and setcap failure. I thing pulseaudio is failing when it gets those failures so it errors out. xdm currently has setuid because it sets the uid of users, so pulseaudio gets to the point of getcap and setcap before it fails. If pulseaudio would not fail when it can't getcap/setcap we could dontaudit it and leave the code alone. I can allow xdm getcap/setcap for now until pulseaudio gets straightened out.
Why is getcap forbidden? Sounds like security through obscurity to me? Does the SELinux policy forbid calling of setcap in its entirety? What is the point of that? It should allow calling setcap for lowering the capabilities.
Well now that I think about it more, it is probably more secure to allow pulseaudit to lower its capabilities. Since xdm is already setuid, pulseaudio has the ability to do things as root. Where as for normal confined users it will not.
the gdm greeter doesn't run as root.
It has the setuid capability so when it runs a setuid app, the app runs as root.
oh i get you know. You mean setuid pulseaudio running as xdm_t runs as root so should be allowed to drop capabilities.
So, what does this mean for our problem now?
Dan, are things cleared up on the Policy side?
It means the policy will allow it, but it should still not be setuid. Lets fix the problem that is forcing it to be setuid.
Ok, so if policy is going to allow it for F9, I'm going to remove this from the Blocker tracker.
Any use of the flash plugin in the stock F9 beta Live spin produces identical AVC traps.
Michael please report this bug in a separate bugzilla, And I am sure the AVC messages are not identical. Flash Plugin is not trying to set capabilities.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
BTW, instead of having PA suid we could use file capabilities to give it only CAP_SYS_NICE and nothing else. Not sure what the policy on file caps is on fedora right now, though.
This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
F11 Does pulseaudio stil need to be setuid?
I don't know if it has to be, but it surely is: bradford:~$ ls -l /usr/bin/pulseaudio -rwsr-xr-x. 1 root root 101328 22. dub 23.04 /usr/bin/pulseaudio bradford:~$
(In reply to comment #25) > F11 Does pulseaudio stil need to be setuid? Yes
Why?
(In reply to comment #28) > Why? The reasons haven't changed: so that we can enable realtime scheduling if this is enabled.
PA in Rawhide now isn't suid anymore, since it gets rt sched via rtkit, and can hence run entirely unpriviliged.