Summary: SELinux is preventing /usr/bin/metacity "connectto" access on /var/run/pulse/native. Detailed Description: SELinux denied access requested by metacity. It is not expected that this access is required by metacity and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:initrc_t:s0 Target Objects /var/run/pulse/native [ unix_stream_socket ] Source metacity Source Path /usr/bin/metacity Port <Unknown> Host (removed) Source RPM Packages metacity-2.28.0-14.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-84.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.7-41.fc12.x86_64 #1 SMP Wed Feb 3 21:08:10 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 12 Feb 2010 10:11:08 AM CET Last Seen Fri 12 Feb 2010 10:11:08 AM CET Local ID 934f019a-ee38-45cc-88e7-b82a90ffa535 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1265965868.752:36612): avc: denied { connectto } for pid=2654 comm="metacity" path="/var/run/pulse/native" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket node=(removed) type=SYSCALL msg=audit(1265965868.752:36612): arch=c000003e syscall=42 success=no exit=-13 a0=14 a1=7fffb7e61770 a2=6e a3=7fffb7e616bc items=0 ppid=2622 pid=2654 auid=4294967295 uid=42 gid=469 euid=42 suid=42 fsuid=42 egid=469 sgid=469 fsgid=469 tty=(none) ses=4294967295 comm="metacity" exe="/usr/bin/metacity" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-84.fc12,catchall,metacity,xdm_t,initrc_t,unix_stream_socket,connectto audit2allow suggests: #============= xdm_t ============== allow xdm_t initrc_t:unix_stream_socket connectto;
Is pulseaudio running as initrc_t domain? ps -eZ | grep initrc_t
(In reply to comment #1) > Is pulseaudio running as initrc_t domain? > > ps -eZ | grep initrc_t Yes. I use system-wide pulseaudio server, because Linux is multiuser operating system. ps -eZ | grep initrc_t system_u:system_r:initrc_t:s0 2476 ? 00:00:33 pulseaudio system_u:system_r:initrc_t:s0 2514 ? 00:00:43 mpd
Looks like we need init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
Actually I think this is started by dbus dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
Yes, it looks so. Fixed in selinux-policy-3.6.32-90.fc12
*** Bug 566997 has been marked as a duplicate of this bug. ***
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
Stop! This problem is ~ same: Summary: SELinux is preventing /usr/bin/canberra-gtk-play "connectto" access on /var/run/pulse/native. Detailed Description: SELinux denied access requested by canberra-gtk-pl. It is not expected that this access is required by canberra-gtk-pl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:initrc_t:s0 Target Objects /var/run/pulse/native [ unix_stream_socket ] Source canberra-gtk-pl Source Path /usr/bin/canberra-gtk-play Port <Unknown> Host deer Source RPM Packages libcanberra-gtk2-0.22-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-93.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name deer Platform Linux deer 2.6.32.9-64.fc12.x86_64 #1 SMP Wed Feb 24 02:09:22 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 26 Feb 2010 10:52:36 AM CET Last Seen Fri 26 Feb 2010 10:52:36 AM CET Local ID 9340c2ad-92a2-4945-b00c-9e00858d12c8 Line Numbers Raw Audit Messages node=deer type=AVC msg=audit(1267177956.932:17844): avc: denied { connectto } for pid=2618 comm="canberra-gtk-pl" path="/var/run/pulse/native" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket node=deer type=SYSCALL msg=audit(1267177956.932:17844): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fff014edc70 a2=6e a3=7fff014edbbc items=0 ppid=2579 pid=2618 auid=4294967295 uid=42 gid=469 euid=42 suid=42 fsuid=42 egid=469 sgid=469 fsgid=469 tty=(none) ses=4294967295 comm="canberra-gtk-pl" exe="/usr/bin/canberra-gtk-play" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Ok, please could you try to add this local module and test it. # cat > mypulse.te << _EOF policy_module(mypulse, 1.0) require { type pulseaudio_t; type pulseaudio_exec_t; } init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i mypulse.pp # semanage permissive -a pulseaudio_t I would like to know if there are some AVC messages. After this testing run # semanage permissive -d pulseaudio_t
1. su - 2. /* cat is very fine text editor... but I use mcedit. ;) */ 3. make -f /usr/share/selinux/devel/Makefile 4. semodule -i mypulse.pp 5. semanage permissive -a pulseaudio_t 6. Reboot my machine. 7. SELinux troubleshooter: No alerts to view. :) 8. semanage permissive -d pulseaudio_t
Feb 27 23:00:19 localhost kernel: type=1400 audit(1267308019.526:17941): avc: denied { setuid } for pid=6480 comm="pulseaudio" capability=7 scontext=unconfined_u:system_r:pulseaudio_t:s0 tcontext=unconfined_u:system_r:pulseaudio_t:s0 tclass=capability Feb 27 23:00:19 localhost kernel: type=1400 audit(1267308019.526:17942): avc: denied { setgid } for pid=6480 comm="pulseaudio" capability=6 scontext=unconfined_u:system_r:pulseaudio_t:s0 tcontext=unconfined_u:system_r:pulseaudio_t:s0 tclass=capability Feb 27 23:00:19 localhost kernel: type=1400 audit(1267308019.526:17943): avc: denied { sys_nice } for pid=6480 comm="pulseaudio" capability=23 scontext=unconfined_u:system_r:pulseaudio_t:s0 tcontext=unconfined_u:system_r:pulseaudio_t:s0 tclass=capability
service pulse start Starting System-wide Pulseaudio Server: W: core-util.c: Failed to open configuration file '/root/.pulse//daemon.conf': Permission denied W: daemon-conf.c: Failed to open configuration file: Permission denied [FAILED] :((
My brutal force workaround: I use selinux=0 kernel parameter. :-/ Please help me, what shall I do? I would like to start the pulseaudio server daemon. I able to use without SELinux, but I want to use with SELinux.
enforcing=0 will setup selinux in permissive mode to stop it from preventing application from running and still log avc messages and maintains labeling. selinux=0 shuts off selinux all together and forces a relabel if you turn it back on. What avc did you get when you tried service pulse start
Miroslav add allow pulseaudio_t self:capability { setuid sys_nice setgid }; rvcsaba Had you set pulseaudio to permissive?
(In reply to comment #16) > Had you set pulseaudio to permissive? Yes, I've just set pulseaudio to permissive mode. It solved my problem. Thank you for your help.
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
rvsaba, Watch for additional AVC message, and report them here with policy package selinux-policy-3.6.32-92.fc12. ausearch -m avc -ts recent Will show all recent avc message (10 minutes) -ts today shows all today.
Created attachment 397806 [details] Last lines of audit.log file rpm -qa selinux-policy\* selinux-policy-3.6.32-97.fc12.noarch selinux-policy-targeted-3.6.32-97.fc12.noarch uname -r 2.6.32.9-70.fc12.x86_64 rpm -qa pulseaudio\* | sort pulseaudio-0.9.21-5.fc12.x86_64 pulseaudio-gdm-hooks-0.9.21-5.fc12.x86_64 pulseaudio-libs-0.9.21-5.fc12.i686 pulseaudio-libs-0.9.21-5.fc12.x86_64 pulseaudio-libs-glib2-0.9.21-5.fc12.i686 pulseaudio-libs-glib2-0.9.21-5.fc12.x86_64 pulseaudio-libs-zeroconf-0.9.21-5.fc12.x86_64 pulseaudio-module-bluetooth-0.9.21-5.fc12.x86_64 pulseaudio-module-gconf-0.9.21-5.fc12.x86_64 pulseaudio-module-x11-0.9.21-5.fc12.x86_64 pulseaudio-utils-0.9.21-5.fc12.x86_64 cd /var/log/audit awk 'BEGIN{p=0} {p = p || ($0 ~ /1267699879.737:1796/); if (p) print};' <audit.log >~csaba/audit.log.end See attachement.
(In reply to comment #19) > rvsaba, Watch for additional AVC message, and report them here with policy > package selinux-policy-3.6.32-92.fc12. > > ausearch -m avc -ts recent > > Will show all recent avc message (10 minutes) -ts today shows all today. Downgrade my *3.6.32-97 packages (from koji.fedoraproject.org) to *3.6.32-92?
Created attachment 397824 [details] Miroslav add this patch to allow this access on F12. Take a look at this patch from F13, It should solve all of the AVC messages in his log.
I have tested this patch and looks good. Fixed in selinux-policy-3.6.32-98.fc12
selinux-policy-3.6.32-99.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-99.fc12
Created attachment 398085 [details] ausearch output rpm -qa selinux-policy\* selinux-policy-3.6.32-99.fc12.noarch selinux-policy-targeted-3.6.32-99.fc12.noarch I relabeled filesystems. ls -Z /usr/bin/pulseaudio -rwxr-xr-x. root root system_u:object_r:pulseaudio_exec_t:s0 /usr/bin/pulseaudio ls -Z /etc/init.d/pulse -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/pulse ausearch -m avc -ts 17:58 >~csaba/ausearch.txt See attachement. service pulse start Starting System-wide Pulseaudio Server: W: core-util.c: Failed to open configuration file '/root/.pulse//daemon.conf': Permission denied W: daemon-conf.c: Failed to open configuration file: Permission denied [FAILED] :((
WHy would a system wide pulseaudio server be reading its config file from /root/.pulse/daemon.conf Why isn't this file in /etc/pulse?
I don't know. I'am not Lennart Poettering. ls /root/.p* ls: cannot access /root/.p*: No such file or directory If I use pulseaudio the permissive mode, then it work system-wide mode. (Sorry, I don't speak english. :-/)
Your doing great. mkdir /root/.pulse chcon -t pulseaudio_home_t /root/.pulse And see if this fixes your problem
If work it - permissive mode: ps -o'%p%u%c' -C pulseaudio PID RUSER COMMAND 6622 pulse pulseaudio Pulseaudio forked to 'pulse' user, not running 'root'. ps -ZC pulseaudio LABEL PID TTY TIME CMD unconfined_u:system_r:pulseaudio_t:s0 6622 ? 00:00:34 pulseaudio "Failed to open configuration file '/root/.pulse//daemon.conf': Permission denied" message is fake? This message only if SELinux enforcing mode.
Please attach avc messages ausearch -m avc -ts recent
(In reply to comment #28) > Your doing great. > > mkdir /root/.pulse > chcon -t pulseaudio_home_t /root/.pulse > > And see if this fixes your problem Same problem. Why not missing /root/.pulse/daemon.conf, if SELinux is permissive mode?
(In reply to comment #30) > Please attach avc messages > > ausearch -m avc -ts recent Read your mailbox!
Miroslav Needs userdom_search_admin_dir(pulseaudio_t) allow pulseaudio_t self:capability sys_tty_config;
Thank you for your help! :)
Fixed in selinux-policy-3.6.32-100.fc12
selinux-policy-3.6.32-99.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-99.fc12
selinux-policy-3.6.32-99.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.