Re: sound within sandboxed firefox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2013-12-10 at 08:56 -0500, Daniel J Walsh wrote:

> > 
> Could you see if you are getting AVCs?
> 
> ausearch -m avc -ts recent
> 

firefox runs pulseaudio, but since there is role_transition from
unconfined_r to system_r via pulseaudio_exec_t specified the following
related avc denials/selinux_errs occur:

> type=AVC msg=audit(1386626727.085:4005): avc:  denied  { transition } for  pid=3064 comm="firefox" path="/usr/bin/pulseaudio" dev="dm-0" ino=2109429 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
> type=SELINUX_ERR msg=audit(1386626727.085:4005): security_compute_sid:  invalid context unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 for scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=process

If you allow the above with:

> domain_system_change_exemption(sandbox_web_client_t)
> allow sandbox_web_client_t self:process transition;
> role system_r types sandbox_web_client_t;

Things still fail. Mainly due to:

> type=AVC msg=audit(1386626727.097:4007): avc:  denied  { setcap } for  pid=3064 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process

If you allow the above with:

> allow sandbox_web_client_t self:process setcap;

Then things start to work slowly. But this will expose the usual
pulseadio related event like for example:

> type=AVC msg=audit(1386626727.119:4010): avc:  denied  { signull } for  pid=3068 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process

Which you can allow with:

application_signull(sandbox_web_client_t)

In refpolicy we added a pulseaudio_client type attribute that allows pulseaudio_clients to send null signals to eachother amongst other things. This enables us to narrow the null signals down a bit
However i have not yet created an interface that associates caller with this type attribute. Instead it is only associated to pulseaudio_t

Finally one needs to deal with the pulseaudio ipc:

> type=AVC msg=audit(1386630028.070:4182): avc:  denied  { read } for  pid=933 comm="plugin-containe" name="pulse-shm-714554573" dev="tmpfs" ino=56617860 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
> 0.c1023 tcontext=unconfined_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file

In refpolicy we deal with this by associating the pulseaudio_tmpfsfile type attribute to pulse audit tmpfs related file types. There is an interface in refpolicy that can be used for this:

> ########################################
> ## <summary>
> ##	Make the specified tmpfs file type
> ##	pulseaudio tmpfs content.
> ## </summary>
> ## <param name="file_type">
> ##	<summary>
> ##	File type to make pulseaudio tmpfs content.
> ##	</summary>
> ## </param>
> #
> interface(`pulseaudio_tmpfs_content',`
> 	gen_require(`
> 		attribute pulseaudio_tmpfsfile;
> 	')
> 
> 	typeattribute $1 pulseaudio_tmpfsfile;
> ')

That will allow all "pulseaudio_client" to read, delete etc all pulseaudio_tmpfiles


I do not know why you decided to add a role transtion from unconfined_r to system_r via pulseaudio_t. I suspect it may have to do with the fact that pulseaudio can also be configured as a system service and that this
caused to you to add the role transition since else you would get into conflict with the init_run_daemon(unconfined_t)

In refpolicy we currently do not support pulseaudio as a system service, But if we do then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we avoid conflict with roles and such



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux