Running latest rawhide, targeted enforcing.
Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read /var/lib/alsa/asound.state.
Get these in /var/log/messages:
Sep 25 06:48:13 localhost kernel: audit(1190728078.763:6): avc: denied { read } for pid=1789 comm="salsa" name="asound.state" dev=dm-0 ino=688429 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=file Sep 25 06:55:25 localhost kernel: audit(1190728512.708:5): avc: denied { getattr } for pid=1793 comm="salsa" path="/var/lib/alsa/asound.state" dev=dm-0 ino=688429 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=file
tom
[Sorry if I incompletely reported this before, since policy now allows directory to be read. There was a change in alsa-utils that mistakenly moved 'salsa' to /bin/salsa, so I stopped gettting AVCs. alsa-utils fixed now.]
Tom London (selinux@gmail.com) said:
Running latest rawhide, targeted enforcing.
Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read /var/lib/alsa/asound.state.
Don't fix this in policy, that's just broken in alsa.
You can't save mixer settings there, as /var may not be mounted when this runs. *Sigh*
Bill
On 9/25/07, Bill Nottingham notting@redhat.com wrote:
Tom London (selinux@gmail.com) said:
Running latest rawhide, targeted enforcing.
Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read /var/lib/alsa/asound.state.
Don't fix this in policy, that's just broken in alsa.
You can't save mixer settings there, as /var may not be mounted when this runs. *Sigh*
Bill
More 'sigh':
Booting in permissive mode now produces:
Oct 9 07:08:33 localhost kernel: audit(1191938899.844:3): avc: denied { read } for pid=1553 comm="alsactl" name="asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file Oct 9 07:08:33 localhost kernel: audit(1191938899.844:4): avc: denied { getattr } for pid=1553 comm="alsactl" path="/etc/alsa/asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
Not 100% sure why this now is reported against alsactl (instead of salsa); and shouldn't alsactl be running in 'alsa_t'?
I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"' to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if that 'broke something'.
tom
On 10/9/07, Tom London selinux@gmail.com wrote:
On 9/25/07, Bill Nottingham notting@redhat.com wrote:
Tom London (selinux@gmail.com) said:
Running latest rawhide, targeted enforcing.
Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read /var/lib/alsa/asound.state.
Don't fix this in policy, that's just broken in alsa.
You can't save mixer settings there, as /var may not be mounted when this runs. *Sigh*
Bill
More 'sigh':
Booting in permissive mode now produces:
Oct 9 07:08:33 localhost kernel: audit(1191938899.844:3): avc: denied { read } for pid=1553 comm="alsactl" name="asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file Oct 9 07:08:33 localhost kernel: audit(1191938899.844:4): avc: denied { getattr } for pid=1553 comm="alsactl" path="/etc/alsa/asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
Not 100% sure why this now is reported against alsactl (instead of salsa); and shouldn't alsactl be running in 'alsa_t'?
I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"' to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if that 'broke something'.
I've managed to 'make sound come up on boot' by doing the following:
1. Change the 90-alsa.rules entry to: SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa -l %n" SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa"
[Not sure if the changes to the first line or if the second line are really needed.....]
2. Added the following 'local' policy:
module fixsalsa 1.0;
require { type udev_t; type alsa_etc_rw_t; class file { read getattr }; }
#============= udev_t ============== allow udev_t alsa_etc_rw_t:file { read getattr };
System now boots without AVCs in either /var/log/messages or /var/log/audit/audit.log, and sound is properly saved on shutdown and restored on boot.
I am a bit confused, since /sbin/salsa is alsa_exec_t, so shouldn't udev_t transition to alsa_t?
tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tom London wrote:
On 10/9/07, Tom London selinux@gmail.com wrote:
On 9/25/07, Bill Nottingham notting@redhat.com wrote:
Tom London (selinux@gmail.com) said:
Running latest rawhide, targeted enforcing.
Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read /var/lib/alsa/asound.state.
Don't fix this in policy, that's just broken in alsa.
You can't save mixer settings there, as /var may not be mounted when this runs. *Sigh*
Bill
More 'sigh':
Booting in permissive mode now produces:
Oct 9 07:08:33 localhost kernel: audit(1191938899.844:3): avc: denied { read } for pid=1553 comm="alsactl" name="asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file Oct 9 07:08:33 localhost kernel: audit(1191938899.844:4): avc: denied { getattr } for pid=1553 comm="alsactl" path="/etc/alsa/asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
Not 100% sure why this now is reported against alsactl (instead of salsa); and shouldn't alsactl be running in 'alsa_t'?
I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"' to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if that 'broke something'.
I've managed to 'make sound come up on boot' by doing the following:
- Change the 90-alsa.rules entry to:
SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa -l %n" SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa"
[Not sure if the changes to the first line or if the second line are really needed.....]
- Added the following 'local' policy:
module fixsalsa 1.0;
require { type udev_t; type alsa_etc_rw_t; class file { read getattr }; }
#============= udev_t ============== allow udev_t alsa_etc_rw_t:file { read getattr };
System now boots without AVCs in either /var/log/messages or /var/log/audit/audit.log, and sound is properly saved on shutdown and restored on boot.
I am a bit confused, since /sbin/salsa is alsa_exec_t, so shouldn't udev_t transition to alsa_t?
tom
It should now. policy 3.0.8-22 at least
selinux@lists.fedoraproject.org
-
Bill Nottingham -
Daniel J Walsh -
Tom London