-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> On 10/9/07, Tom London <selinux@xxxxxxxxx> wrote:
>> On 9/25/07, Bill Nottingham <notting@xxxxxxxxxx> wrote:
>>> Tom London (selinux@xxxxxxxxx) said:
>>>> Running latest rawhide, targeted enforcing.
>>>>
>>>> Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read
>>>> /var/lib/alsa/asound.state.
>>> Don't fix this in policy, that's just broken in alsa.
>>>
>>> You can't save mixer settings there, as /var may not be mounted when
>>> this runs. *Sigh*
>>>
>>> Bill
>>>
>> More 'sigh':
>>
>> Booting in permissive mode now produces:
>>
>> Oct 9 07:08:33 localhost kernel: audit(1191938899.844:3): avc:
>> denied { read } for pid=1553 comm="alsactl" name="asound.state"
>> dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
>> Oct 9 07:08:33 localhost kernel: audit(1191938899.844:4): avc:
>> denied { getattr } for pid=1553 comm="alsactl"
>> path="/etc/alsa/asound.state" dev=dm-0 ino=11076536
>> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
>>
>> Not 100% sure why this now is reported against alsactl (instead of
>> salsa); and shouldn't alsactl be running in 'alsa_t'?
>>
>> I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"'
>> to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if
>> that 'broke something'.
>>
>
> I've managed to 'make sound come up on boot' by doing the following:
>
> 1. Change the 90-alsa.rules entry to:
> SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa -l %n"
> SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa"
>
> [Not sure if the changes to the first line or if the second line are
> really needed.....]
>
> 2. Added the following 'local' policy:
>
> module fixsalsa 1.0;
>
> require {
> type udev_t;
> type alsa_etc_rw_t;
> class file { read getattr };
> }
>
> #============= udev_t ==============
> allow udev_t alsa_etc_rw_t:file { read getattr };
>
> System now boots without AVCs in either /var/log/messages or
> /var/log/audit/audit.log, and sound is properly saved on shutdown and
> restored on boot.
>
> I am a bit confused, since /sbin/salsa is alsa_exec_t, so shouldn't
> udev_t transition to alsa_t?
>
> tom
It should now. policy 3.0.8-22 at least
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHE7+4rlYvE4MpobMRAhclAKCGUn4wXzDfC2WlwtHx1/FRLUpT2ACgl1Dh
22Pf1Lw/ermDF82cg+iLSUk=
=s3kT
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
