604952 – (MPD) SELinux is preventing /usr/bin/mpd "read" access on /home/edlman/.pulse/d3ddfd60b514527fc174b8fb000000fb-runtime.

Bug 604952 (MPD) - SELinux is preventing /usr/bin/mpd "read" access on /home/edlman/.pulse/d3ddfd60b514527fc174b8fb000000fb-runtime.

Summary: SELinux is preventing /usr/bin/mpd "read" access on /home/edlman/.pulse/...

Keywords:
Status:	CLOSED CANTFIX
Alias:	MPD
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:f01804bf7b9...
Duplicates (3):	609264 610825 610852 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-17 06:03 UTC by Martin Edlman
Modified:	2010-10-07 14:54 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-10-07 14:54:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Edlman 2010-06-17 06:03:52 UTC

Hello,

here's another issue of mpd and pulseaudio. The mpd is (must be) running under my UID (edlman) not its default (mpd), otherwise it is not playing at all. I don't know if it's problem of SELinux or mpd itself.

It looks as it's not able to connect to pulseaudio daemon which is running in user mode under my UID. Maybe running pulseaudio in system mode would solve the problem - I'll try to test it.

Other strange thing is that I removed permissive mode from mpd_t by "semanage permissive -d mpd_t" but as you can see in the report mpd is still running in permissive mode.

--------------------------------------------------------------------------------------------------

Souhrn:

SELinux is preventing /usr/bin/mpd "read write" access on
/home/edlman/.pulse-cookie.

Podrobný popis:

[mpd je v toleratním režimu (mpd_t). Přístup byl povolen.]

SELinux denied access requested by mpd. It is not expected that this access is
required by mpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                unconfined_u:system_r:mpd_t:s0
Kontext cíle                 unconfined_u:object_r:pulseaudio_home_t:s0
Objekty cíle                 /home/edlman/.pulse-cookie [ file ]
Zdroj                         mpd
Cesta zdroje                  /usr/bin/mpd
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          mpd-0.15.8-1.fc13
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.19-28.fc13
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.33.5-124.fc13.i686.PAE
                              #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686
Počet upozornění           2
Poprvé viděno               Čt 17. červen 2010, 07:50:25 CEST
Naposledy viděno             Čt 17. červen 2010, 07:50:25 CEST
Místní ID                   4a340d80-b886-4e92-b89b-9ef408c1593e
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1276753825.559:32118): avc:  denied  { read write } for  pid=3249 comm="mpd" name=".pulse-cookie" dev=dm-4 ino=132002 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1276753825.559:32118): avc:  denied  { open } for  pid=3249 comm="mpd" name=".pulse-cookie" dev=dm-4 ino=132002 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1276753825.559:32118): arch=40000003 syscall=5 success=yes exit=14 a0=b50012e0 a1=8142 a2=180 a3=0 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null)


--------------------------------------------------------------------------------------------------

Souhrn:

SELinux is preventing /usr/bin/mpd "lock" access on /home/edlman/.pulse-cookie.

Podrobný popis:

[mpd je v toleratním režimu (mpd_t). Přístup byl povolen.]

SELinux denied access requested by mpd. It is not expected that this access is
required by mpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                unconfined_u:system_r:mpd_t:s0
Kontext cíle                 unconfined_u:object_r:pulseaudio_home_t:s0
Objekty cíle                 /home/edlman/.pulse-cookie [ file ]
Zdroj                         mpd
Cesta zdroje                  /usr/bin/mpd
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          mpd-0.15.8-1.fc13
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.19-28.fc13
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.33.5-124.fc13.i686.PAE
                              #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686
Počet upozornění           1
Poprvé viděno               Čt 17. červen 2010, 07:50:25 CEST
Naposledy viděno             Čt 17. červen 2010, 07:50:25 CEST
Místní ID                   f67f8300-aabb-4a67-85da-b22ac1406d64
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1276753825.559:32119): avc:  denied  { lock } for  pid=3249 comm="mpd" path="/home/edlman/.pulse-cookie" dev=dm-4 ino=132002 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1276753825.559:32119): arch=40000003 syscall=221 success=yes exit=0 a0=e a1=e a2=b5bfee88 a3=0 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null)


--------------------------------------------------------------------------------------------------

Souhrn:

SELinux is preventing /usr/bin/mpd "signull" access .

Podrobný popis:

[mpd je v toleratním režimu (mpd_t). Přístup byl povolen.]

SELinux denied access requested by mpd. It is not expected that this access is
required by mpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                unconfined_u:system_r:mpd_t:s0
Kontext cíle                 unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Objekty cíle                 None [ process ]
Zdroj                         mpd
Cesta zdroje                  /usr/bin/mpd
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          mpd-0.15.8-1.fc13
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.19-28.fc13
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.33.5-124.fc13.i686.PAE
                              #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686
Počet upozornění           1
Poprvé viděno               Čt 17. červen 2010, 07:50:25 CEST
Naposledy viděno             Čt 17. červen 2010, 07:50:25 CEST
Místní ID                   0d14bbf9-375e-4492-ab6c-4120b4c59056
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1276753825.570:32120): avc:  denied  { signull } for  pid=3249 comm="mpd" scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1276753825.570:32120): arch=40000003 syscall=37 success=yes exit=0 a0=92d a1=0 a2=440f208 a3=b5bfef18 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null)


--------------------------------------------------------------------------------------------------

Souhrn:

SELinux is preventing /usr/bin/mpd "read" access on
/home/edlman/.pulse/d3ddfd60b514527fc174b8fb000000fb-runtime.

Podrobný popis:

[mpd je v toleratním režimu (mpd_t). Přístup byl povolen.]

SELinux denied access requested by mpd. It is not expected that this access is
required by mpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                unconfined_u:system_r:mpd_t:s0
Kontext cíle                 unconfined_u:object_r:pulseaudio_home_t:s0
Objekty cíle                 /home/edlman/.pulse
                              /d3ddfd60b514527fc174b8fb000000fb-runtime [
                              lnk_file ]
Zdroj                         mpd
Cesta zdroje                  /usr/bin/mpd
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          mpd-0.15.8-1.fc13
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.19-28.fc13
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.33.5-124.fc13.i686.PAE
                              #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686
Počet upozornění           3
Poprvé viděno               Čt 17. červen 2010, 07:50:25 CEST
Naposledy viděno             Čt 17. červen 2010, 07:50:25 CEST
Místní ID                   0a1ea1d9-3c7f-4a1a-893d-3a15dd736c05
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1276753825.578:32121): avc:  denied  { read } for  pid=3249 comm="mpd" name="d3ddfd60b514527fc174b8fb000000fb-runtime" dev=dm-4 ino=131109 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=lnk_file

node=(removed) type=AVC msg=audit(1276753825.578:32121): avc:  denied  { write } for  pid=3249 comm="mpd" name="native" dev=dm-2 ino=36 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file

node=(removed) type=AVC msg=audit(1276753825.578:32121): avc:  denied  { connectto } for  pid=3249 comm="mpd" path="/tmp/pulse-XwfNToZmWlJo/native" scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=(removed) type=SYSCALL msg=audit(1276753825.578:32121): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=b5bfee50 a2=440f208 a3=0 items=0 ppid=1 pid=3249 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null)



Hash String generated from  catchall,mpd,mpd_t,pulseaudio_home_t,lnk_file,read
audit2allow suggests:

#============= mpd_t ==============
#!!!! The source type 'mpd_t' can write to a 'file' of the following type:
# mpd_var_lib_t
#!!!! The source type 'mpd_t' can write to a 'file' of the following types:
# mpd_var_lib_t, mpd_data_t
#!!!! The source type 'mpd_t' can write to a 'file' of the following types:
# mpd_var_lib_t, mpd_data_t
#!!!! The source type 'mpd_t' can write to a 'file' of the following types:
# mpd_var_lib_t, mpd_data_t, mpd_tmp_t
#!!!! The source type 'mpd_t' can write to a 'file' of the following types:
# mpd_var_lib_t, mpd_data_t, mpd_tmp_t, mpd_tmpfs_t
#!!!! The source type 'mpd_t' can write to a 'file' of the following types:
# mpd_var_lib_t, mpd_data_t, mpd_tmp_t, mpd_tmpfs_t, anon_inodefs_t
#!!!! The source type 'mpd_t' can write to a 'file' of the following types:
# mpd_var_lib_t, mpd_data_t, mpd_tmp_t, mpd_tmpfs_t, anon_inodefs_t, root_t

allow mpd_t pulseaudio_home_t:file { read write open lock };
allow mpd_t pulseaudio_home_t:lnk_file read;
allow mpd_t unconfined_execmem_t:process signull;
allow mpd_t unconfined_execmem_t:unix_stream_socket connectto;
allow mpd_t user_tmp_t:sock_file write;

Comment 1 Miroslav Grepl 2010-06-17 11:28:43 UTC

Martin,
could you send me your mpd.conf and /etc/pulse/daemon.conf

Thanks.

Comment 2 Martin Edlman 2010-06-17 11:56:13 UTC

Hello,

here are my config files - I stripped out comment lines. Pulse audio config is original without modifications. mpd is running under my UID (edlman), /var/lib/mpd (and everything inside) is owned by edlman.

I tried to make mpd run under its UID (mpd) according to http://mpd.wikia.com/wiki/PulseAudio but with no success.

-----------------------------------------------------------

# cat /etc/mpd.conf

music_directory                 "/media/data/multimedia/audio"
playlist_directory              "/var/lib/mpd/playlists"
db_file                         "/var/lib/mpd/mpd.db"
log_file                        "/var/lib/mpd/mpd.log"
error_file                      "/var/lib/mpd/mpd.error"
state_file                      "/var/lib/mpd/mpdstate"

#user "mpd"
user "edlman"

zeroconf_enabled                "yes"
zeroconf_name                   "Music Player Worm"

audio_output {
	type "pulse"
	name "PulseAudio Output"
}

audio_output {
	type "shout"
	format "44100:16:2"
	name "Music stream"
	host "worm.fortech.cz"
	port "8000"
	mount "/stream.ogg"
	password "edasovo"
	quality "5"

	user "source"
	description "All kinds of music"
	genre "Everything"
} # end of audio_output

mixer_type                      "software"

-----------------------------------------------------------

# cat /etc/pulse/default.pa

.nofail
.fail

load-module module-device-restore
load-module module-stream-restore
load-module module-card-restore
load-module module-augment-properties

.ifexists module-udev-detect.so
load-module module-udev-detect
.else
load-module module-detect
.endif

.ifexists module-bluetooth-discover.so
load-module module-bluetooth-discover
.endif

.ifexists module-esound-protocol-unix.so
load-module module-esound-protocol-unix
.endif
load-module module-native-protocol-unix

.ifexists module-gconf.so
.nofail
load-module module-gconf
.fail
.endif

load-module module-default-device-restore
load-module module-rescue-streams
load-module module-always-sink
load-module module-intended-roles
load-module module-suspend-on-idle
load-module module-console-kit
load-module module-position-event-sounds
load-module module-cork-music-on-phone

Comment 3 Martin Edlman 2010-06-17 12:04:04 UTC

I forgot to include /etc/pulse/daemon.conf. This file is without modification from instalation, all lines are commented out with # or ;. So I won't list it here. Pulseaudio is installed from RPM - pulseaudio-0.9.21-6.fc13.i686.

Comment 4 Miroslav Grepl 2010-06-17 13:24:27 UTC

(In reply to comment #0)
> Hello,
> 
> here's another issue of mpd and pulseaudio. The mpd is (must be) running under
> my UID (edlman) not its default (mpd), otherwise it is not playing at all. I
> don't know if it's problem of SELinux or mpd itself.
> 
> It looks as it's not able to connect to pulseaudio daemon which is running in
> user mode under my UID. Maybe running pulseaudio in system mode would solve the
> problem - I'll try to test it.
> 

Ok, these avc messages are caused by mpd running under your UID.

> 
> allow mpd_t pulseaudio_home_t:file { read write open lock };
> allow mpd_t pulseaudio_home_t:lnk_file read;
> allow mpd_t unconfined_execmem_t:process signull;
> allow mpd_t unconfined_execmem_t:unix_stream_socket connectto;
> allow mpd_t user_tmp_t:sock_file write;

Comment 5 Miroslav Grepl 2010-07-02 17:28:31 UTC

*** Bug 609264 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2010-07-02 17:28:54 UTC

*** Bug 610852 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2010-07-02 17:31:53 UTC

*** Bug 610825 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2010-10-07 14:54:40 UTC

The workaround for MPD which is not running under mpd user.

# cat > mympd.te << _EOF

policy_module(mympd, 1.0)

require{
 type mpd_t;
}

pulseaudio_manage_home_files(mpd_t)
pulseaudio_setattr_home_dir(mpd_t)
userdom_list_user_tmp(mpd_t)
userdom_write_user_tmp_sockets(mpd_t)
unconfined_stream_connect(mpd_t)

_EOF

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mympd.pp

Note You need to log in before you can comment on or make changes to this bug.