Le 12/10/19 à 17:52, Chris PeBenito a écrit :
On 10/11/19 8:24 AM, Laurent Bigonville wrote:
From: Laurent Bigonville <bigon@xxxxxxxx>
When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed
----
time->Sun Oct 6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc: denied { write open }
for pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs"
ino=25882 scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc: denied { create } for
pid=804 comm="alsactl" name="alsactl.pid"
scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct 6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc: denied { open } for
pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882
scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc: denied { read } for
pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882
scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct 6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc: denied { unlink } for
pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882
scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
Signed-off-by: Laurent Bigonville <bigon@xxxxxxxx>
---
policy/modules/admin/alsa.fc | 1 +
policy/modules/admin/alsa.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 75ea9ebf..16ccb7ca 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc --
gen_context(system_u:object_r:alsa_home_t,s0)
/etc/asound\.conf --
gen_context(system_u:object_r:alsa_etc_t,s0)
/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
+/run/alsactl.pid --
gen_context(system_u:object_r:alsa_runtime_t,s0)
Needs escaping ( \.pid )
It's fixed in the github merge request
Do you think that you could already merge all the patches of the series
except the colord one?
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsactl --
gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index e567dd32..9d053c4d 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map;
can_exec(alsa_t, alsa_exec_t)
allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:file manage_file_perms;
allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
-files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)