Hi,
With the git HEAD of the refpolicy compiled with TYPE = standard and
both UBAC = y and UBAC = n, I'm getting the following error:
type=SELINUX_ERR msg=audit(1347477364.713:4557): security_compute_sid:
invalid context unconfined_u:system_r:pulseaudio_t for
scontext=unconfined_u:system_r:pulseaudio_t
tcontext=unconfined_u:system_r:pulseaudio_t tclass=unix_stream_socket
This is causing pulseaudio to fail to start (due to dbus not being
happy) even in permissive mode:
Failed to connect to system bus: An SELinux policy prevents this sender
from sending this message to this recipient, 0 matched rules;
type="method_call", sender="(null)" (inactive)
interface="org.freedesktop.DBus" member="Hello" error name="(unset)"
requested_reply="0" destination="org.freedesktop.DBus" (bus)
Running pulseaudio unconfined is obviously allowing it to start.
An idea?
Cheers
Laurent Bigonville
Le Tue, 18 Sep 2012 13:07:07 +0200,
Laurent Bigonville <[email protected]> a ?crit :
> Hi,
>
> With the git HEAD of the refpolicy compiled with TYPE = standard and
> both UBAC = y and UBAC = n, I'm getting the following error:
>
> type=SELINUX_ERR msg=audit(1347477364.713:4557): security_compute_sid:
> invalid context unconfined_u:system_r:pulseaudio_t for
> scontext=unconfined_u:system_r:pulseaudio_t
> tcontext=unconfined_u:system_r:pulseaudio_t tclass=unix_stream_socket
OK so this has been fixed by adding the system_r role to the
unconfined_u user. It seems that Fedora is already doing this, any
reason it's not in the refpolicy?
Also, pulse audio is now running:
unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0 0.1 304728 6716 ? S<l 00:13 0:01 /usr/bin/pulseaudio --start --log-target=syslog
Do we also want to have pulseaudio transition to his own context when
started in the user session?
On 09/19/12 06:30, Laurent Bigonville wrote:
> Le Tue, 18 Sep 2012 13:07:07 +0200,
> Laurent Bigonville <[email protected]> a ?crit :
>
>> Hi,
>>
>> With the git HEAD of the refpolicy compiled with TYPE = standard and
>> both UBAC = y and UBAC = n, I'm getting the following error:
>>
>> type=SELINUX_ERR msg=audit(1347477364.713:4557): security_compute_sid:
>> invalid context unconfined_u:system_r:pulseaudio_t for
>> scontext=unconfined_u:system_r:pulseaudio_t
>> tcontext=unconfined_u:system_r:pulseaudio_t tclass=unix_stream_socket
>
> OK so this has been fixed by adding the system_r role to the
> unconfined_u user. It seems that Fedora is already doing this, any
> reason it's not in the refpolicy?
>
> Also, pulse audio is now running:
>
> unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0 0.1 304728 6716 ? S<l 00:13 0:01 /usr/bin/pulseaudio --start --log-target=syslog
>
> Do we also want to have pulseaudio transition to his own context when
> started in the user session?
I'm no expert in pulseaudio, but I suppose it could make sense. The transitions to pulseaudio_t are from initrc_t, mozilla_t, and system_dbusd_t right now.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le Thu, 20 Sep 2012 09:04:15 -0400,
"Christopher J. PeBenito" <[email protected]> a ?crit :
> On 09/19/12 06:30, Laurent Bigonville wrote:
> > Le Tue, 18 Sep 2012 13:07:07 +0200,
> > Laurent Bigonville <[email protected]> a ?crit :
> >
> > unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0
> > 0.1 304728 6716 ? S<l 00:13 0:01 /usr/bin/pulseaudio --start
> > --log-target=syslog
> >
> > Do we also want to have pulseaudio transition to his own context
> > when started in the user session?
>
> I'm no expert in pulseaudio, but I suppose it could make sense. The
> transitions to pulseaudio_t are from initrc_t, mozilla_t, and
> system_dbusd_t right now.
>
I meant this is already happening now, with the current version of the
policy. unconfined_t is also transitioning to pulseaudio_t.
And the role is also transitioning from unconfined_r to system_r which
lead to my other question about adding the system_r role to the
unconfined user (which is the case in fedora policy).
Cheers
Laurent Bigonville
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/20/2012 09:15 AM, Laurent Bigonville wrote:
> Le Thu, 20 Sep 2012 09:04:15 -0400, "Christopher J. PeBenito"
> <[email protected]> a ?crit :
>
>> On 09/19/12 06:30, Laurent Bigonville wrote:
>>> Le Tue, 18 Sep 2012 13:07:07 +0200, Laurent Bigonville
>>> <[email protected]> a ?crit :
>>>
>>> unconfined_u:system_r:pulseaudio_t:s0-s0:c0.c1023 bigon 3820 0.0 0.1
>>> 304728 6716 ? S<l 00:13 0:01 /usr/bin/pulseaudio --start
>>> --log-target=syslog
>>>
>>> Do we also want to have pulseaudio transition to his own context when
>>> started in the user session?
>>
>> I'm no expert in pulseaudio, but I suppose it could make sense. The
>> transitions to pulseaudio_t are from initrc_t, mozilla_t, and
>> system_dbusd_t right now.
>>
>
> I meant this is already happening now, with the current version of the
> policy. unconfined_t is also transitioning to pulseaudio_t.
>
> And the role is also transitioning from unconfined_r to system_r which lead
> to my other question about adding the system_r role to the unconfined user
> (which is the case in fedora policy).
>
> Cheers
>
> Laurent Bigonville _______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
unconfined_t is transitioning to a domain running as system_r which later
transitions to pulseaudio_t
On F18, I find.
setrans unconfined_t pulseaudio_t
unconfined_t --> xserver_t --> insmod_t --> initrc_t --> pulseaudio_t
unconfined_t --> initrc_t --> pulseaudio_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBcfncACgkQrlYvE4MpobPeyQCfep/POeM6c8OFARDli91VUmwH
EGYAn1gDAUdSVPeUC9nKtOfYh2D72w6j
=fNHo
-----END PGP SIGNATURE-----