Hello, here's another issue of mpd and pulseaudio. The mpd is (must be) running under my UID (edlman) not its default (mpd), otherwise it is not playing at all. I don't know if it's problem of SELinux or mpd itself. It looks as it's not able to connect to pulseaudio daemon which is running in user mode under my UID. Maybe running pulseaudio in system mode would solve the problem - I'll try to test it. Other strange thing is that I removed permissive mode from mpd_t by "semanage permissive -d mpd_t" but as you can see in the report mpd is still running in permissive mode. -------------------------------------------------------------------------------------------------- Souhrn: SELinux is preventing /usr/bin/mpd "read write" access on /home/edlman/.pulse-cookie. Podrobný popis: [mpd je v toleratním režimu (mpd_t). Přístup byl povolen.] SELinux denied access requested by mpd. It is not expected that this access is required by mpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje unconfined_u:system_r:mpd_t:s0 Kontext cíle unconfined_u:object_r:pulseaudio_home_t:s0 Objekty cíle /home/edlman/.pulse-cookie [ file ] Zdroj mpd Cesta zdroje /usr/bin/mpd Port <Neznámé> Počítač (removed) RPM balíčky zdroje mpd-0.15.8-1.fc13 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-28.fc13 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.33.5-124.fc13.i686.PAE #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686 Počet upozornění 2 Poprvé viděno Čt 17. červen 2010, 07:50:25 CEST Naposledy viděno Čt 17. červen 2010, 07:50:25 CEST Místní ID 4a340d80-b886-4e92-b89b-9ef408c1593e Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1276753825.559:32118): avc: denied { read write } for pid=3249 comm="mpd" name=".pulse-cookie" dev=dm-4 ino=132002 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file node=(removed) type=AVC msg=audit(1276753825.559:32118): avc: denied { open } for pid=3249 comm="mpd" name=".pulse-cookie" dev=dm-4 ino=132002 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1276753825.559:32118): arch=40000003 syscall=5 success=yes exit=14 a0=b50012e0 a1=8142 a2=180 a3=0 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null) -------------------------------------------------------------------------------------------------- Souhrn: SELinux is preventing /usr/bin/mpd "lock" access on /home/edlman/.pulse-cookie. Podrobný popis: [mpd je v toleratním režimu (mpd_t). Přístup byl povolen.] SELinux denied access requested by mpd. It is not expected that this access is required by mpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje unconfined_u:system_r:mpd_t:s0 Kontext cíle unconfined_u:object_r:pulseaudio_home_t:s0 Objekty cíle /home/edlman/.pulse-cookie [ file ] Zdroj mpd Cesta zdroje /usr/bin/mpd Port <Neznámé> Počítač (removed) RPM balíčky zdroje mpd-0.15.8-1.fc13 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-28.fc13 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.33.5-124.fc13.i686.PAE #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686 Počet upozornění 1 Poprvé viděno Čt 17. červen 2010, 07:50:25 CEST Naposledy viděno Čt 17. červen 2010, 07:50:25 CEST Místní ID f67f8300-aabb-4a67-85da-b22ac1406d64 Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1276753825.559:32119): avc: denied { lock } for pid=3249 comm="mpd" path="/home/edlman/.pulse-cookie" dev=dm-4 ino=132002 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1276753825.559:32119): arch=40000003 syscall=221 success=yes exit=0 a0=e a1=e a2=b5bfee88 a3=0 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null) -------------------------------------------------------------------------------------------------- Souhrn: SELinux is preventing /usr/bin/mpd "signull" access . Podrobný popis: [mpd je v toleratním režimu (mpd_t). Přístup byl povolen.] SELinux denied access requested by mpd. It is not expected that this access is required by mpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje unconfined_u:system_r:mpd_t:s0 Kontext cíle unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Objekty cíle None [ process ] Zdroj mpd Cesta zdroje /usr/bin/mpd Port <Neznámé> Počítač (removed) RPM balíčky zdroje mpd-0.15.8-1.fc13 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-28.fc13 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.33.5-124.fc13.i686.PAE #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686 Počet upozornění 1 Poprvé viděno Čt 17. červen 2010, 07:50:25 CEST Naposledy viděno Čt 17. červen 2010, 07:50:25 CEST Místní ID 0d14bbf9-375e-4492-ab6c-4120b4c59056 Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1276753825.570:32120): avc: denied { signull } for pid=3249 comm="mpd" scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=process node=(removed) type=SYSCALL msg=audit(1276753825.570:32120): arch=40000003 syscall=37 success=yes exit=0 a0=92d a1=0 a2=440f208 a3=b5bfef18 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null) -------------------------------------------------------------------------------------------------- Souhrn: SELinux is preventing /usr/bin/mpd "read" access on /home/edlman/.pulse/d3ddfd60b514527fc174b8fb000000fb-runtime. Podrobný popis: [mpd je v toleratním režimu (mpd_t). Přístup byl povolen.] SELinux denied access requested by mpd. It is not expected that this access is required by mpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje unconfined_u:system_r:mpd_t:s0 Kontext cíle unconfined_u:object_r:pulseaudio_home_t:s0 Objekty cíle /home/edlman/.pulse /d3ddfd60b514527fc174b8fb000000fb-runtime [ lnk_file ] Zdroj mpd Cesta zdroje /usr/bin/mpd Port <Neznámé> Počítač (removed) RPM balíčky zdroje mpd-0.15.8-1.fc13 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-28.fc13 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.33.5-124.fc13.i686.PAE #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686 Počet upozornění 3 Poprvé viděno Čt 17. červen 2010, 07:50:25 CEST Naposledy viděno Čt 17. červen 2010, 07:50:25 CEST Místní ID 0a1ea1d9-3c7f-4a1a-893d-3a15dd736c05 Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1276753825.578:32121): avc: denied { read } for pid=3249 comm="mpd" name="d3ddfd60b514527fc174b8fb000000fb-runtime" dev=dm-4 ino=131109 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=lnk_file node=(removed) type=AVC msg=audit(1276753825.578:32121): avc: denied { write } for pid=3249 comm="mpd" name="native" dev=dm-2 ino=36 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file node=(removed) type=AVC msg=audit(1276753825.578:32121): avc: denied { connectto } for pid=3249 comm="mpd" path="/tmp/pulse-XwfNToZmWlJo/native" scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=(removed) type=SYSCALL msg=audit(1276753825.578:32121): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=b5bfee50 a2=440f208 a3=0 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null) Hash String generated from catchall,mpd,mpd_t,pulseaudio_home_t,lnk_file,read audit2allow suggests: #============= mpd_t ============== #!!!! The source type 'mpd_t' can write to a 'file' of the following type: # mpd_var_lib_t #!!!! The source type 'mpd_t' can write to a 'file' of the following types: # mpd_var_lib_t, mpd_data_t #!!!! The source type 'mpd_t' can write to a 'file' of the following types: # mpd_var_lib_t, mpd_data_t #!!!! The source type 'mpd_t' can write to a 'file' of the following types: # mpd_var_lib_t, mpd_data_t, mpd_tmp_t #!!!! The source type 'mpd_t' can write to a 'file' of the following types: # mpd_var_lib_t, mpd_data_t, mpd_tmp_t, mpd_tmpfs_t #!!!! The source type 'mpd_t' can write to a 'file' of the following types: # mpd_var_lib_t, mpd_data_t, mpd_tmp_t, mpd_tmpfs_t, anon_inodefs_t #!!!! The source type 'mpd_t' can write to a 'file' of the following types: # mpd_var_lib_t, mpd_data_t, mpd_tmp_t, mpd_tmpfs_t, anon_inodefs_t, root_t allow mpd_t pulseaudio_home_t:file { read write open lock }; allow mpd_t pulseaudio_home_t:lnk_file read; allow mpd_t unconfined_execmem_t:process signull; allow mpd_t unconfined_execmem_t:unix_stream_socket connectto; allow mpd_t user_tmp_t:sock_file write;
Martin, could you send me your mpd.conf and /etc/pulse/daemon.conf Thanks.
Hello, here are my config files - I stripped out comment lines. Pulse audio config is original without modifications. mpd is running under my UID (edlman), /var/lib/mpd (and everything inside) is owned by edlman. I tried to make mpd run under its UID (mpd) according to http://mpd.wikia.com/wiki/PulseAudio but with no success. ----------------------------------------------------------- # cat /etc/mpd.conf music_directory "/media/data/multimedia/audio" playlist_directory "/var/lib/mpd/playlists" db_file "/var/lib/mpd/mpd.db" log_file "/var/lib/mpd/mpd.log" error_file "/var/lib/mpd/mpd.error" state_file "/var/lib/mpd/mpdstate" #user "mpd" user "edlman" zeroconf_enabled "yes" zeroconf_name "Music Player Worm" audio_output { type "pulse" name "PulseAudio Output" } audio_output { type "shout" format "44100:16:2" name "Music stream" host "worm.fortech.cz" port "8000" mount "/stream.ogg" password "edasovo" quality "5" user "source" description "All kinds of music" genre "Everything" } # end of audio_output mixer_type "software" ----------------------------------------------------------- # cat /etc/pulse/default.pa .nofail .fail load-module module-device-restore load-module module-stream-restore load-module module-card-restore load-module module-augment-properties .ifexists module-udev-detect.so load-module module-udev-detect .else load-module module-detect .endif .ifexists module-bluetooth-discover.so load-module module-bluetooth-discover .endif .ifexists module-esound-protocol-unix.so load-module module-esound-protocol-unix .endif load-module module-native-protocol-unix .ifexists module-gconf.so .nofail load-module module-gconf .fail .endif load-module module-default-device-restore load-module module-rescue-streams load-module module-always-sink load-module module-intended-roles load-module module-suspend-on-idle load-module module-console-kit load-module module-position-event-sounds load-module module-cork-music-on-phone
I forgot to include /etc/pulse/daemon.conf. This file is without modification from instalation, all lines are commented out with # or ;. So I won't list it here. Pulseaudio is installed from RPM - pulseaudio-0.9.21-6.fc13.i686.
(In reply to comment #0) > Hello, > > here's another issue of mpd and pulseaudio. The mpd is (must be) running under > my UID (edlman) not its default (mpd), otherwise it is not playing at all. I > don't know if it's problem of SELinux or mpd itself. > > It looks as it's not able to connect to pulseaudio daemon which is running in > user mode under my UID. Maybe running pulseaudio in system mode would solve the > problem - I'll try to test it. > Ok, these avc messages are caused by mpd running under your UID. > > allow mpd_t pulseaudio_home_t:file { read write open lock }; > allow mpd_t pulseaudio_home_t:lnk_file read; > allow mpd_t unconfined_execmem_t:process signull; > allow mpd_t unconfined_execmem_t:unix_stream_socket connectto; > allow mpd_t user_tmp_t:sock_file write;
*** Bug 609264 has been marked as a duplicate of this bug. ***
*** Bug 610852 has been marked as a duplicate of this bug. ***
*** Bug 610825 has been marked as a duplicate of this bug. ***
The workaround for MPD which is not running under mpd user. # cat > mympd.te << _EOF policy_module(mympd, 1.0) require{ type mpd_t; } pulseaudio_manage_home_files(mpd_t) pulseaudio_setattr_home_dir(mpd_t) userdom_list_user_tmp(mpd_t) userdom_write_user_tmp_sockets(mpd_t) unconfined_stream_connect(mpd_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i mympd.pp