Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
filetrans rule.
$ start-pulseaudio-x11
W: [autospawn] core-util.c: Failed to create lock file '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
E: [pulseaudio] main.c: Failed to acquire autospawn lock
---
pulseaudio.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/pulseaudio.te b/pulseaudio.te
index 4665af2..648de3a 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
--
2.0.5
---
snmp.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/snmp.fc b/snmp.fc
index 2f0a2f2..d3db67a 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,5 +1,6 @@
/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
--
2.0.5
dnsmasq has the --dhcp-script= option to execute scripts when leases are
given. dnsmasq needs to have shell access to run these.
---
dnsmasq.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dnsmasq.te b/dnsmasq.te
index e2f8300..b3caf80 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -57,6 +57,8 @@ kernel_read_network_state(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
kernel_request_load_module(dnsmasq_t)
+corecmd_exec_shell(dnsmasq_t)
+
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
--
2.0.5
Doesn't the files_tmp_filetrans for the directory class already ensure that
the /tmp/pulse-* directory is of the right type?
On Apr 13, 2015 6:01 PM, "Jason Zaman" <[email protected]> wrote:
> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
> filetrans rule.
>
> $ start-pulseaudio-x11
> W: [autospawn] core-util.c: Failed to create lock file
> '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> E: [pulseaudio] main.c: Failed to acquire autospawn lock
> ---
> pulseaudio.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 4665af2..648de3a 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t)
> manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
> manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t)
> files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> "autospawn.lock")
> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> "dbus-socket")
> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> "native")
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/46dd2c11/attachment-0001.html
On Mon, Apr 13, 2015 at 07:31:55PM +0200, Sven Vermeulen wrote:
> Doesn't the files_tmp_filetrans for the directory class already ensure that
> the /tmp/pulse-* directory is of the right type?
Good point. Not everything ends up in that directory though, but i would like to know where does that file exactly end up?
> On Apr 13, 2015 6:01 PM, "Jason Zaman" <[email protected]> wrote:
>
> > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
> > filetrans rule.
> >
> > $ start-pulseaudio-x11
> > W: [autospawn] core-util.c: Failed to create lock file
> > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> > E: [pulseaudio] main.c: Failed to acquire autospawn lock
> > ---
> > pulseaudio.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/pulseaudio.te b/pulseaudio.te
> > index 4665af2..648de3a 100644
> > --- a/pulseaudio.te
> > +++ b/pulseaudio.te
> > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t)
> > manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
> > manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t)
> > files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> > "autospawn.lock")
> > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
> > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> > "dbus-socket")
> > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> > "native")
> > --
> > 2.0.5
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/4cf41bff/attachment.bin
Meh my mistake. The directory is written by pulseaudio client applications
and get the user_tmp_t type. Sorry for the noise.
Wkr,
Sven Vermeulen
On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[email protected]> wrote:
> Doesn't the files_tmp_filetrans for the directory class already ensure
> that the /tmp/pulse-* directory is of the right type?
> On Apr 13, 2015 6:01 PM, "Jason Zaman" <[email protected]> wrote:
>
>> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
>> filetrans rule.
>>
>> $ start-pulseaudio-x11
>> W: [autospawn] core-util.c: Failed to create lock file
>> '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
>> E: [pulseaudio] main.c: Failed to acquire autospawn lock
>> ---
>> pulseaudio.te | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/pulseaudio.te b/pulseaudio.te
>> index 4665af2..648de3a 100644
>> --- a/pulseaudio.te
>> +++ b/pulseaudio.te
>> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
>> pulseaudio_tmp_t)
>> manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
>> manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
>> pulseaudio_tmp_t)
>> files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
>> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
>> "autospawn.lock")
>> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
>> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
>> "dbus-socket")
>> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
>> "native")
>> --
>> 2.0.5
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/050f7d7b/attachment.html
On Mon, Apr 13, 2015 at 07:49:37PM +0200, Sven Vermeulen wrote:
> Meh my mistake. The directory is written by pulseaudio client
> applications and get the user_tmp_t type. Sorry for the noise.
for the record:
$ ls -alZ /tmp/pulse-PKdhtXMmr18n/
total 4
drwx------. 2 jason users staff_u:object_r:user_tmp_t 80 Apr 13 21:51 ./
drwxrwxrwt. 14 root root system_u:object_r:tmp_t 440 Apr 13 21:53 ../
srwxrwxrwx. 1 jason users staff_u:object_r:pulseaudio_tmp_t 0 Apr 13 21:51 native=
-rw-------. 1 jason users staff_u:object_r:pulseaudio_tmp_t 6 Apr 13 21:51 pid
autolock.spawn goes away right after the server is spawned, its only
there for a short time. Also, the dir does not *have* to be user_tmp_t.
The first program that wants sound will start up pulse (usually its
gsettings or equivalent tho). eg if you dont have pulse running and
start youtube you might get /tmp/pulse-* being mozilla_tmp_t.
-- Jason
> Wkr,
> ? Sven? Vermeulen
>
> On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[1][email protected]>
> wrote:
>
> Doesn't the files_tmp_filetrans for the directory class already
> ensure that the /tmp/pulse-* directory is of the right type?
>
> On Apr 13, 2015 6:01 PM, "Jason Zaman" <[2][email protected]> wrote:
>
> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds
> the
> filetrans rule.
> $ start-pulseaudio-x11
> W: [autospawn] core-util.c: Failed to create lock file
> '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> E: [pulseaudio] main.c: Failed to acquire autospawn lock
> ---
> ? pulseaudio.te | 1 +
> ? 1 file changed, 1 insertion(+)
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 4665af2..648de3a 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t,
> pulseaudio_tmp_t, pulseaudio_tmp_t)
> ? manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t)
> ? manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t)
> ? files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> "autospawn.lock")
> ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> "pid")
> ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> sock_file, "dbus-socket")
> ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> sock_file, "native")
> --
> 2.0.5
> _______________________________________________
> refpolicy mailing list
> [3]refpolicy at oss.tresys.com
> [4]http://oss.tresys.com/mailman/listinfo/refpolicy
>
> References
>
> 1. mailto:sven.vermeulen at siphos.be
> 2. mailto:jason at perfinion.com
> 3. mailto:refpolicy at oss.tresys.com
> 4. http://oss.tresys.com/mailman/listinfo/refpolicy
On Mon, Apr 13, 2015 at 10:02:30PM +0400, Jason Zaman wrote:
> On Mon, Apr 13, 2015 at 07:49:37PM +0200, Sven Vermeulen wrote:
> > Meh my mistake. The directory is written by pulseaudio client
> > applications and get the user_tmp_t type. Sorry for the noise.
>
> for the record:
> $ ls -alZ /tmp/pulse-PKdhtXMmr18n/
> total 4
> drwx------. 2 jason users staff_u:object_r:user_tmp_t 80 Apr 13 21:51 ./
> drwxrwxrwt. 14 root root system_u:object_r:tmp_t 440 Apr 13 21:53 ../
> srwxrwxrwx. 1 jason users staff_u:object_r:pulseaudio_tmp_t 0 Apr 13 21:51 native=
> -rw-------. 1 jason users staff_u:object_r:pulseaudio_tmp_t 6 Apr 13 21:51 pid
>
> autolock.spawn goes away right after the server is spawned, its only
> there for a short time. Also, the dir does not *have* to be user_tmp_t.
> The first program that wants sound will start up pulse (usually its
> gsettings or equivalent tho). eg if you dont have pulse running and
> start youtube you might get /tmp/pulse-* being mozilla_tmp_t.
>
Yes its fragile, no doubt.
Move it to XDG_RUNTIME_DIR, which allows you to get rid of the random suffix , then implement a name-based tt for "pulse" dir there
> -- Jason
>
> > Wkr,
> > ? Sven? Vermeulen
> >
> > On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[1][email protected]>
> > wrote:
> >
> > Doesn't the files_tmp_filetrans for the directory class already
> > ensure that the /tmp/pulse-* directory is of the right type?
> >
> > On Apr 13, 2015 6:01 PM, "Jason Zaman" <[2][email protected]> wrote:
> >
> > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds
> > the
> > filetrans rule.
> > $ start-pulseaudio-x11
> > W: [autospawn] core-util.c: Failed to create lock file
> > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> > E: [pulseaudio] main.c: Failed to acquire autospawn lock
> > ---
> > ? pulseaudio.te | 1 +
> > ? 1 file changed, 1 insertion(+)
> > diff --git a/pulseaudio.te b/pulseaudio.te
> > index 4665af2..648de3a 100644
> > --- a/pulseaudio.te
> > +++ b/pulseaudio.te
> > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t,
> > pulseaudio_tmp_t, pulseaudio_tmp_t)
> > ? manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t)
> > ? manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t)
> > ? files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> > "autospawn.lock")
> > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> > "pid")
> > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> > sock_file, "dbus-socket")
> > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> > sock_file, "native")
> > --
> > 2.0.5
> > _______________________________________________
> > refpolicy mailing list
> > [3]refpolicy at oss.tresys.com
> > [4]http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > References
> >
> > 1. mailto:sven.vermeulen at siphos.be
> > 2. mailto:jason at perfinion.com
> > 3. mailto:refpolicy at oss.tresys.com
> > 4. http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/bdb763e9/attachment.bin
On Mon, Apr 13, 2015 at 07:36:11PM +0400, Jason Zaman wrote:
> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
> filetrans rule.
>
> $ start-pulseaudio-x11
> W: [autospawn] core-util.c: Failed to create lock file '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> E: [pulseaudio] main.c: Failed to acquire autospawn lock
The pulseaudio policy is fragile, granted, but this rule makes sense to me. Merged, thanks
> ---
> pulseaudio.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 4665af2..648de3a 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
> manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
> manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
> files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/5c36d04b/attachment.bin
On Mon, Apr 13, 2015 at 07:36:12PM +0400, Jason Zaman wrote:
Thanks. Merged
> ---
> snmp.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/snmp.fc b/snmp.fc
> index 2f0a2f2..d3db67a 100644
> --- a/snmp.fc
> +++ b/snmp.fc
> @@ -1,5 +1,6 @@
> /etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
>
> +/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
> /usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
> /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
>
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/01b8f83e/attachment.bin
On Mon, Apr 13, 2015 at 07:36:13PM +0400, Jason Zaman wrote:
> dnsmasq has the --dhcp-script= option to execute scripts when leases are
> given. dnsmasq needs to have shell access to run these.
Thanks. Merged
> ---
> dnsmasq.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/dnsmasq.te b/dnsmasq.te
> index e2f8300..b3caf80 100644
> --- a/dnsmasq.te
> +++ b/dnsmasq.te
> @@ -57,6 +57,8 @@ kernel_read_network_state(dnsmasq_t)
> kernel_read_system_state(dnsmasq_t)
> kernel_request_load_module(dnsmasq_t)
>
> +corecmd_exec_shell(dnsmasq_t)
> +
> corenet_all_recvfrom_unlabeled(dnsmasq_t)
> corenet_all_recvfrom_netlabel(dnsmasq_t)
> corenet_tcp_sendrecv_generic_if(dnsmasq_t)
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/99c9cd42/attachment.bin