Description of problem: staff cant read /etc/mplayer/mplayer.conf (mplayer_etc_t) staff does not run mplayer in its domain (per role template not called) per role template is missing a require (mplayer_etc_t) once staff runs mplayer in its domain mplayer cannot run due to: The flip-hebrew option can't be used in a config file. Error parsing option flip-hebrew=no at line 133 if you comment out that directive in /etc/mplayer/mplayer.conf it runs How reproducible: try to read mplayer_etc_t as staff_t notice you cannot run mplayer in its domain (per role template is notcalled) in the per role template for mplayer (mplayer.if , in the gen_require block there is no type mplayer_etc_t and therefore the module does not compile if it is called (error) once everything does run , mplayer quits because there is a directive in /etc/mplayer/mplayer.conf tht is not allowed there (if you comment that directive out it works) Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
after that there are some more issues, for example i had to add: dev_read_urand($1_mplayer_t) and after that it wanted to connect to pulseaudio (/tmp/pulse-dgrift1/native) but that is a userdomain type object: type=AVC msg=audit(1208774477.818:8367): avc: denied { write } for pid=11347 comm="mplayer" name="native" dev=dm-1 ino=2842708 scontext=staff_u:staff_r:staff_mplayer_t:s0 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file Without that this mplayer works but without pa i think as i get some error output: E: shm.c: shm_open() failed: Function not implemented *** PULSEAUDIO: Unable to connect: Connection refused *** Is your sound server running? *** See: http://www.pulseaudio.org/wiki/Troubleshooting [AO_ALSA] Playback open error: Connection refused
Fixed in selinux-policy-3.3.1-37.fc9.noarch