Bug 711272 - selinux prevents use of gnome-sound-recorder
Summary: selinux prevents use of gnome-sound-recorder
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-07 04:14 UTC by bodhi.zazen
Modified: 2011-06-10 03:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-10 03:04:51 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description bodhi.zazen 2011-06-07 04:14:10 UTC 
Description of problem:

selinux prevents use of gnome-sound-recorder if I confine my users with user_u

If I disable selinux (setenforce 0 ) my users can use gnome-sound-recorder.

I get no alerts or AVC in the logs.

If I then enable selinux (setenforce 1) , my users can not use gnome-sound-recorder.


They get this error message if they connect to the alsamixer

alsamixer 
ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect: Connection terminated

cannot open mixer: Connection refused

No AVC denials in the logs.


I looked for silent denials as per this page:

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html

But still no AVC messages after running /usr/sbin/semodule -DB

I also ran
restorecon -R /home/*
restroecon -R /home/User_name

However, if I unconfine the user

semanage login -a -s unconfined_u my_user

the user can then use gnome-sound-recorder.


Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. Enable selinux , confining users with user_u, start gnome-sound-recorder
2.
3.
  
Actual results:

gnome-sound-recorder does not use pulse-audio

Expected results:

gnome-sound-recorder works with confined users.

Additional info:

Thank you =)
Comment 1 Miroslav Grepl 2011-06-07 11:13:05 UTC 
Try to run

# setsebool user_tcp_server on

and re-test it.

Also

# ps -eZ |grep audit
Comment 2 bodhi.zazen 2011-06-08 02:39:43 UTC 
Thank you , but that did not help


root@fedora:~#getsebool -a | grep user_tcp
user_tcp_server --> on

root@fedora:~#ps -eZ | grep audit
system_u:system_r:kernel_t:s0     365 ?        00:00:00 kauditd
system_u:system_r:auditd_t:s0     840 ?        00:00:00 auditd
Comment 3 bodhi.zazen 2011-06-08 03:22:08 UTC 
OK, setting that Boolean did fix it, I had to reboot for it to take effect.

One last question if I may, how was I to know to set that particular boolean without a denial / selinux alert / AVC in the logs ?
Comment 4 Daniel Walsh 2011-06-10 03:04:51 UTC 
You would not know.  You would have to understand that confined users are not allowed to listen on any ports out of the box.  And then know there was a boolean that allowed this access.

If you ran that avc through audit2allow it would have told you of the existance of the boolean, or setroubleshoot should have told you also,
Note You need to log in before you can comment on or make changes to this bug.