Bug 591751 - SELinux is preventing /usr/bin/qemu-kvm "execute" access on /usr/bin/pulseaudio.
Summary: SELinux is preventing /usr/bin/qemu-kvm "execute" access on /usr/bin/pul...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:d667854c188...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-13 00:11 UTC by Marc Milgram
Modified: 2013-01-09 11:34 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-08-19 10:19:15 UTC
Type: ---

Attachments (Terms of Use)

Description Marc Milgram 2010-05-13 00:11:06 UTC

SELinux is preventing /usr/bin/qemu-kvm "execute" access on /usr/bin/pulseaudio.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c145,c652
Target Context                system_u:object_r:pulseaudio_exec_t:s0
Target Objects                /usr/bin/pulseaudio [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           qemu-system-x86-0.11.0-13.fc12
Target RPM Packages           pulseaudio-0.9.21-5.fc12
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Tue 13 Apr 2010 11:42:50 AM EDT
Last Seen                     Tue 13 Apr 2010 11:42:51 AM EDT
Local ID                      185a5a89-8a6f-4221-b1e0-19c33404264a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1271173371.86:62): avc:  denied  { execute } for  pid=8038 comm="qemu-kvm" name="pulseaudio" dev=dm-1 ino=259597 scontext=system_u:system_r:svirt_t:s0:c145,c652 tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1271173371.86:62): arch=c000003e syscall=59 success=no exit=-13 a0=7fcb74014ad0 a1=7fcb44be99d0 a2=7fff33a45de0 a3=7fcb44be9740 items=0 ppid=7982 pid=8038 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c145,c652 key=(null)

Hash String generated from  catchall,qemu-kvm,svirt_t,pulseaudio_exec_t,file,execute
audit2allow suggests:

#============= svirt_t ==============
allow svirt_t pulseaudio_exec_t:file execute;

Comment 1 Daniel Walsh 2010-05-13 12:37:14 UTC
Does pulseaudio actually work now with qemu launched from libvirt?  Or should this just be dontaudited?

Comment 2 Amit Shah 2010-05-13 13:03:44 UTC
The support has been added and it should work fine. Please allow this access.

Comment 4 Daniel Berrangé 2010-05-13 13:38:02 UTC
This is an artifact of the pulse audio client library code, rather than QEMU. It will try to connect to an existing pulseaudio server, and if unsuccessful spawn a new one. We really don't want this auto-spawning to be done from QEMU, but (AFAIK) there's no API to prevent it. In addition even if auto-spawning was allowed by SELinux, it still wouldn't work because the 'qemu' user won't have any permissions to the /dev/snd/* devices.

Comment 5 Daniel Walsh 2010-05-13 15:01:36 UTC
So for now I can dontaudit it trying to execute pulseaudio.

Note You need to log in before you can comment on or make changes to this bug.