Red Hat Bugzilla – Bug 584697
SELinux is preventing /usr/bin/pulseaudio "signull" access .
Last modified: 2010-05-18 17:54:54 EDT
Summary: SELinux is preventing /usr/bin/pulseaudio "signull" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by pulseaudio. It is not expected that this access is required by pulseaudio and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:pulseaudio_t:s0 Target Context unconfined_u:system_r:initrc_t:s0 Target Objects None [ process ] Source pulseaudio Source Path /usr/bin/pulseaudio Port <Unknown> Host (removed) Source RPM Packages pulseaudio-0.9.21-5.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-110.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 2 First Seen Thu 22 Apr 2010 02:07:12 AM CDT Last Seen Thu 22 Apr 2010 02:37:16 AM CDT Local ID 9644f8c8-11b4-4ca0-9a3e-0ae275ff1be4 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1271921836.567:91): avc: denied { signull } for pid=3150 comm="pulseaudio" scontext=unconfined_u:system_r:pulseaudio_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=process node=(removed) type=SYSCALL msg=audit(1271921836.567:91): arch=40000003 syscall=37 success=yes exit=0 a0=c46 a1=0 a2=4491f4 a3=bfd473c8 items=0 ppid=3146 pid=3150 auid=500 uid=494 gid=475 euid=494 suid=494 fsuid=494 egid=475 sgid=475 fsgid=475 tty=(none) ses=2 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=unconfined_u:system_r:pulseaudio_t:s0 key=(null) Hash String generated from catchall,pulseaudio,pulseaudio_t,initrc_t,process,signull audit2allow suggests: #============= pulseaudio_t ============== allow pulseaudio_t initrc_t:process signull;
Which process is running as initrc_t? Music Player Daemon (MPD)? # ps -eZ | grep initrc
yes, Music Player Daemon. Not from Fedora, but from rpmfusion. /etc/init.d/mpd i updated to FC12 from FC11 last night and i wanted to test if the bug reporting is actually working now after going nowhere with hundreds of bug reports. Had i known bug reporting was actually working, i would have looked at this further on my own before reporting. There were more than 30 SELINUX errors related to mpd. i reported a handful and now Dan Walsh is involved - wow. There were official windows mpd clients infested with malware a few months back and haven't tried them again, but it made me suspicious of the mpd project.
It is probably best if we write a policy for mpd. Do you know if this is intended to be moved into Fedora?
i found mpd packages in rpmfusion and atrpm.net. i believe there are some media player clients in Fedora already. i didn't find any package review requests.
libmpd libmpdclient qmpdclient I believe we will eventually see the MPD in the repos ?
gmpc - Gnome Media Player Client
Miroslav for now lets add optional_policy(` pulseaudio_stream_connect(initrc_t) ') Since we do not know if other services will need this access.
Fixed in selinux-policy-3.6.32-114.fc12
selinux-policy-3.6.32-114.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-114.fc12
selinux-policy-3.6.32-114.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-114.fc12
selinux-policy-3.6.32-114.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.