abrt 1.1.1 detected a crash. architecture: x86_64 Attached file: backtrace cmdline: /usr/bin/pulseaudio --start --log-target=syslog component: pulseaudio crash_function: raise executable: /usr/bin/pulseaudio global_uuid: 08e9ebe8d0709cd55480c8a42be8589232e35d8d kernel: 2.6.32.12-115.fc12.x86_64 package: pulseaudio-0.9.21-6.fc13 rating: 4 reason: Process /usr/bin/pulseaudio was killed by signal 6 (SIGABRT) release: Fedora release 13 (Goddard) comment ----- I was running firefox in a SELinux sandbox (/usr/bin/sandbox is provided by policycoreutils-python). As soon as firefox tries to play audio, pulseaudio crashes. There are also error messages from pulseaudio in /var/og/messages: Jun 10 13:25:18 maunalani pulseaudio[3115]: bluetooth-util.c: Error from ListAdapters reply: org.freedesktop.DBus.Error.AccessDenied Jun 10 13:25:18 maunalani pulseaudio[3115]: fdsem.c: Invalid read from pipe: Permission denied Jun 10 13:25:18 maunalani pulseaudio[3115]: fdsem.c: Code should not be reached at pulsecore/fdsem.c:208, function pa_fdsem_post(). Aborting. It is not expected that I'm able to hear audio from a sandbox'ed app (selinux is blocking the sandboxed app from interacting with pulseaudio. It's also not expected that pulseaudio (outside the sandbox) abort when an app in the sandbox tries to connect to it. How to reproduce ----- 1. Run sandbox -X -t sandbox_web_t firefox 2. Navigate to a website that plays audio (I used youtube) 3. Pulseaudio crashes
Created attachment 422987 [details] File: backtrace
This is working for me on F14. Miroslav can you try this out on F13?
Ok, I am seeing the same issue. 1. I am trying: # sandbox -X -t sandbox_web_t firefox # Navigate to a website that plays audio (I used youtube) and it still wants to donwload flash-plugin. I am seeing in permissive mode type=AVC msg=audit(1276770224.529:266): avc: denied { write } for pid=13591 comm="npconfig" name="nswrapper_32_32.libflashplayer.so" dev=dm-0 ino=1187580 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c823,c928 tcontext=unconfined_u:object_r:nsplugin_rw_t:s0:c579,c615 tclass=file # ausearch -m avc -ts recent | audit2allow #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow sandbox_web_client_t nsplugin_rw_t:file { read write execute unlink };
2. I am trying the second case 1. Navigate to a website that plays audio outside sandbox (I used youtube) 2. Run sandbox -X -t sandbox_web_t firefox 3. Navigate to a website that plays audio (I used youtube) 4. Switch to enforce mode 5. Pulseaudio crashes
Ok I think we need nsplugin_dontaudit_write_rw_files(sandbox_web_type) Since we should force people to install plugins outside of sandbox.
This is working on F14. Miroslav can you disable dontaudites and see if something is being denied to pulseaudio.
I just want to be clear that this isn't a plugin problem, or a flash problem. The pulseaudio crash is reproduceable when anything in the sandbox tries to play audio. It is reproduceable when running: sandbox -X -t sandbox_web_t totem /usr/share/sounds/gnome/default/alerts/bark.ogg
(In reply to comment #6) > This is working on F14. Miroslav can you disable dontaudites and see if > something is being denied to pulseaudio. Ok, I got it. type=AVC msg=audit(1276854743.036:91651): avc: denied { write } for pid=14490 comm="pulseaudio" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3986 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=SYSCALL msg=audit(1276854743.036:91651): arch=c000003e syscall=1 success=no exit=-13 a0=17 a1=7ff70c6182a0 a2=8 a3=6 items=0 ppid=1 pid=14490 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 key=(null) type=ANOM_ABEND msg=audit(1276854743.038:91652): auid=500 uid=500 gid=500 ses=1 subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c235,c513 pid=14490 comm="pulseaudio" sig=6 so fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) is culprit.
Changing it to allow makes it work? Rawhide has sesearch -A -s sandbox_web_t -t anon_inodefs_t --dontaudit Found 3 semantic av rules: allow sandbox_x_domain anon_inodefs_t : file { ioctl read getattr lock open } ; allow sandbox_x_domain anon_inodefs_t : dir { getattr search open } ; allow sandbox_x_domain file_type : file entrypoint ; sesearch -s sandbox_web_type -t anon_inodefs_t --dontaudit Found 3 semantic av rules: dontaudit sandbox_web_type anon_inodefs_t : file { ioctl read write getattr lock append open } ; dontaudit sandbox_web_type file_type : dir getattr ; dontaudit sandbox_web_type filesystem_type : filesystem getattr ; And it works there?
Yes, this is strange but it looks like it works with fs_rw_anon_inodefs_files(sandbox_web_client_t) Mike, could you try to add the following local policy and test it # cat > local.te << EOF policy_module(local, 1.0) require{ type sandbox_web_client_t; } fs_rw_anon_inodefs_files(sandbox_web_client_t) EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp Thanks.
Well if that fixes it, Make the change. I don't think that access is a big threat. I will leave it as dontaudit in Rawhide, since it does not seem to cause problems there. Maybe a newer version of pulseaudio does not crash when denied this access.
After the update today, sound within sandboxes works for me. (updated policy to selinux-policy-3.7.19-33.fc13.noarch) Thanks!