On Mon, 2013-12-09 at 19:28 +0000, fedorauser wrote: > It doesn't seem to work in permissive mode either. > > There is no ~/.pulse in my home. > I've been playing with this a bit and this quick and dirty hack "fixed" it for me: cat > mysand.te <<EOF policy_module(mysand, 1.0.0) gen_require(` type sandbox_web_client_t; ') allow sandbox_web_client_t self:process setcap; application_signull(sandbox_web_client_t) domain_role_change_exemption(sandbox_web_client_t) domain_system_change_exemption(sandbox_web_client_t) allow sandbox_web_client_t self:process transition; role system_r types sandbox_web_client_t; EOF make -f /usr/share/selinux/devel/Makefile mysand.pp sudo semodule -i mysand.pp Couple comments: not sure if the "domain_role_change_exemption(sandbox_web_client_t)" is actually needed, but i guess it would make sense if it does I don't know why pulseaudio is determined to run with the system_r role but i suspect it may be started by the dbus system bus? (in other distros, and refpolicy pulseaudio just runs with the user role) This is just a dirty hack You might want to create a different sandbox with this functionality instead of extending the existing sandbox_web_client_t one like it did in my example To see how you can create custom sandbox policies: https://www.youtube.com/watch?v=0PaNlkjXrWk Make sure to restart your sandbox after you loaded this policy -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
