Bug 546030 - SELinux is preventing the /usr/bin/pulseaudio from using potentially mislabeled files (autospawn.lock).
Summary: SELinux is preventing the /usr/bin/pulseaudio from using potentially mislabel...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:ef1dca0c1bd...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-12-09 20:25 UTC by herra_pilvinen
Modified: 2010-02-11 14:40 UTC (History)
5 users (show)

Fixed In Version: 3.6.32-84.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-02-11 14:40:19 UTC

Attachments (Terms of Use)

Description herra_pilvinen 2009-12-09 20:25:38 UTC

SELinux is preventing the /usr/bin/pulseaudio from using potentially mislabeled
files (autospawn.lock).

Yksityiskohtainen kuvaus:

SELinux has denied pulseaudio access to potentially mislabeled file(s)
(autospawn.lock). This means that SELinux will not allow pulseaudio to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Sallitaan pääsy:

If you want pulseaudio to access this files, you need to relabel them using
restorecon -v 'autospawn.lock'. You might want to relabel the entire directory
using restorecon -R -v ''.


Lähdekonteksti               system_u:system_r:xdm_t:s0-s0:c0.c1023
Kohdekonteksti                system_u:object_r:user_tmp_t:s0
Kohdeobjektit                 autospawn.lock [ file ]
Lähde                        pulseaudio
Lähteen polku                /usr/bin/pulseaudio
Portti                        <Tuntematon>
Kone                          (removed)
Lähteen RPM-paketit          pulseaudio-0.9.21-1.fc12
Kohteen RPM-paketit           
Käytännön RPM              selinux-policy-3.6.32-49.fc12
SELinux käytössä           True
Käytännön tyyppi           targeted
Toimeenpanotila               Enforcing
Liitännäisen nimi           home_tmp_bad_labels
Konenimi                      (removed)
Alusta                        Linux Uneksija #1 SMP Sat
                              Nov 7 21:11:14 EST 2009 x86_64 x86_64
Varoitusten määrä          1
Ensimmäinen                  la  5. joulukuuta 2009 23.44.12
Viimeisin                     la  5. joulukuuta 2009 23.44.12
Paikallinen tunniste          cdbf4382-b8c8-4c76-b299-65c3ee9a7174

Muokkaamattomat tarkastusvies 

node=Uneksija type=AVC msg=audit(1260049452.452:6): avc:  denied  { create } for  pid=1649 comm="pulseaudio" name="autospawn.lock" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file

node=Uneksija type=SYSCALL msg=audit(1260049452.452:6): arch=c000003e syscall=2 success=no exit=-13 a0=7f63200009a0 a1=20142 a2=180 a3=fffffff2 items=0 ppid=1639 pid=1649 auid=4294967295 uid=42 gid=473 euid=42 suid=42 fsuid=42 egid=473 sgid=473 fsgid=473 tty=(none) ses=4294967295 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  selinux-policy-3.6.32-49.fc12,home_tmp_bad_labels,pulseaudio,xdm_t,user_tmp_t,file,create
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t user_tmp_t:file create;

Comment 1 Daniel Walsh 2009-12-09 21:25:22 UTC
Are you logged in as the context xdm_t?

id -Z

Comment 2 Daniel Walsh 2009-12-09 21:58:42 UTC
THis looks like pulseaudit is trying to create autospawn.lock in a directory previosly created by a user?

Comment 3 Ray Strode [halfline] 2009-12-09 22:25:44 UTC
seems unlikely quickly browsing the code.

I see something like

k = pa_sprintf_malloc("%s/%s-runtime", get_pulse_home (), get_machine_id ());

so it doesn't seem like a dir a user would create

But I don't know how this stuff works, cc'ing lennart

Comment 4 Lennart Poettering 2009-12-17 15:04:19 UTC
hmm, we create that lock file in a dir in /tmp. The name of that dir is randomly chosen, and verified to belong to us, so it should be set up properly.

Comment 5 Daniel Walsh 2009-12-17 15:52:11 UTC
So the directory is shared between all users of pulseaudio even if pulseaudio is running as root? Versus a non root UID?

Comment 6 Carl G. 2010-01-17 02:59:11 UTC

Fedora Bugzappers volunteer triage team

Comment 7 Daniel Walsh 2010-01-18 16:43:25 UTC
Miroslav, lets just allow this access.


Comment 8 Miroslav Grepl 2010-02-01 13:16:17 UTC
Fixed in selinux-policy-3.6.32-80.fc12

Comment 9 Fedora Update System 2010-02-03 23:18:16 UTC
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12.

Comment 10 Fedora Update System 2010-02-05 01:42:41 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492

Comment 11 Fedora Update System 2010-02-11 14:35:22 UTC
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.