Bug 607983 - SELinux is preventing /usr/bin/mpd "read" access on /home/wlan/Music.
Summary: SELinux is preventing /usr/bin/mpd "read" access on /home/wlan/Music.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:862fbd01999...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-25 10:54 UTC by wlan
Modified: 2010-11-02 16:49 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-02 16:49:53 UTC


Attachments (Terms of Use)

Description wlan 2010-06-25 10:54:30 UTC
Summary:

SELinux is preventing /usr/bin/mpd "read" access on /home/wlan/Music.

Detailed Description:

[mpd has a permissive type (mpd_t). This access was not denied.]

SELinux denied access requested by mpd. It is not expected that this access is
required by mpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:mpd_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/wlan/Music [ dir ]
Source                        mpd
Source Path                   /usr/bin/mpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mpd-0.15.8-1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux desktop.local 2.6.33.5-124.fc13.x86_64 #1
                              SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 25 Jun 2010 02:37:50 PM SAMT
Last Seen                     Fri 25 Jun 2010 02:37:50 PM SAMT
Local ID                      bd6c81cb-e909-4998-90a1-b671f807f49b
Line Numbers                  

Raw Audit Messages            

node=desktop.local type=AVC msg=audit(1277462270.635:20401): avc:  denied  { read } for  pid=2269 comm="mpd" name="Music" dev=dm-3 ino=131093 scontext=unconfined_u:system_r:mpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

node=desktop.local type=SYSCALL msg=audit(1277462270.635:20401): arch=c000003e syscall=2 success=yes exit=73014444160 a0=7fb5e00008c0 a1=90800 a2=0 a3=11 items=0 ppid=1 pid=2269 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="mpd" exe="/usr/bin/mpd" subj=unconfined_u:system_r:mpd_t:s0 key=(null)



Hash String generated from  catchall,mpd,mpd_t,user_home_t,dir,read
audit2allow suggests:

#============= mpd_t ==============
allow mpd_t user_home_t:dir read;

Comment 1 Miroslav Grepl 2010-06-25 11:31:26 UTC
I was thinking about that while I was creating mpd policy. The default location for MPD music is /var/lib/mpd/music directory. But I guess I can add a new boolean for MPD which will allow it.

Comment 2 Daniel Walsh 2010-06-25 17:35:34 UTC
Add a type for this directory and then allow it to read.  Don't add a boolean

type audio_home_t;

Put this in usedom definitions.

Send me a patch....

Comment 3 Miroslav Grepl 2010-06-28 14:14:56 UTC
Fixed in selinux-policy-3.7.19-32.fc13

Comment 4 Fedora Update System 2010-06-30 19:54:54 UTC
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 5 Fedora Update System 2010-07-01 18:48:52 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 6 Fedora Update System 2010-07-06 17:07:12 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 cheery314 2010-09-04 09:27:08 UTC
(In reply to comment #5)
> selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing
> repository.  If problems still persist, please make note of it in this bug
> report.
>  If you want to test the update, you can install it with 
>  su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can
> provide feedback for this update here:
> http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Hi! I tried this, but it did not fix the problem. Now, how do I downgrade back to the non-test SELinux?

Comment 8 Miroslav Grepl 2010-09-06 07:33:36 UTC
(In reply to comment #7)

> 
> Hi! I tried this, but it did not fix the problem.
Does it mean the same problem still persists? What AVC messages are you seeing?

Comment 9 cheery314 2010-09-06 07:41:08 UTC
(In reply to comment #8)
> (In reply to comment #7)
> 
> > 
> > Hi! I tried this, but it did not fix the problem.
> Does it mean the same problem still persists? What AVC messages are you seeing?

Yes. I saw the same errors, along with quite a few others. I have decided to use MPlayer to listen to internet radio instead.

Comment 10 Miroslav Grepl 2010-09-06 07:48:58 UTC
What is your outputs of 

# matchpathcon /home/wlan/Music

and

# rpm -qa selinux-policy-\*


Could you attach these AVC messages. I would like to know where the problem is.

Thanks.

Comment 11 cheery314 2010-09-06 08:09:25 UTC
Not that exactly. I have no folder "/home/wlan/Music". What I mean is, I have the same problem as the user who submitted this.

[silent@TERMINAL-BMRF-9 ~]$ sudo matchpathcon /home/wlan/Music
[sudo] password for silent: 
/home/wlan/Music	unconfined_u:object_r:audio_home_t:s0

[silent@TERMINAL-BMRF-9 ~]$ sudo matchpathcon /home/silent/Audio
/home/silent/Audio	unconfined_u:object_r:user_home_t:s0

[silent@TERMINAL-BMRF-9 ~]$ rpm -qa selinux-policy-\*
selinux-policy-targeted-3.7.19-51.fc13.noarch

Comment 12 Miroslav Grepl 2010-09-06 08:31:42 UTC
Excellent analysis. 

SELinux is all about labels. We allow MPD to read audio content with the "audio_home_t" label in home directories. But you have your audio content labelled as "user_home_t". So you need to set the label.

# chcon -R -t audio_home_t /home/silent/Audio

will fix.


Dan,
I will add

HOME_DIR/Audio(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)

Comment 13 cheery314 2010-09-06 09:03:03 UTC
(In reply to comment #12)
> Excellent analysis. 
> 
> SELinux is all about labels. We allow MPD to read audio content with the
> "audio_home_t" label in home directories. But you have your audio content
> labelled as "user_home_t". So you need to set the label.
> 
> # chcon -R -t audio_home_t /home/silent/Audio
> 
> will fix.
> 
> 
> Dan,
> I will add
> 
> HOME_DIR/Audio(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)

I still can't use MPD. SELinux complains about quite a few things, including pulseaudio. I've never used SELinux before, my last distro was Mint.

Comment 14 Miroslav Grepl 2010-09-06 10:14:34 UTC
Could you send me your /var/log/audit/audit.log?


If you are interested

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/
http://danwalsh.livejournal.com/
http://sradvan.fedorapeople.org/SELinux_FAQ/

Comment 15 cheery314 2010-09-06 23:27:40 UTC
Sure.

Comment 16 Daniel Walsh 2010-09-07 16:23:06 UTC
Miroslav what is the standard directory for this?  Is this user defined?

Comment 17 Miroslav Grepl 2010-11-02 16:49:53 UTC
Oops, I missed your question. Anyways, you are right, it is not the standard directory. I was thinking about Music dir, which is the standard dir, but the problem is about Audio dir.


Note You need to log in before you can comment on or make changes to this bug.