463006 – media-sound/pulseaudio - /dev/shm/pulse-shm-*files denials

Bug 463006 - media-sound/pulseaudio - /dev/shm/pulse-shm-*files denials

Summary: media-sound/pulseaudio - /dev/shm/pulse-shm-*files denials

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r1
Keywords:

Depends on:
Blocks:

Reported:	2013-03-24 19:11 UTC by vespian
Modified:	2013-06-16 17:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info output (emerge_info.txt,5.25 KB, text/plain) 2013-03-24 19:12 UTC, vespian	Details
pulseaudio_dev_shm.patch (pulseaudio_dev_shm.patch,3.04 KB, patch) 2013-03-24 19:13 UTC, vespian	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description vespian 2013-03-24 19:11:43 UTC

Pulseaudio seems to use /dev/shm/pulse-shm-* files as a means to manage shared memory between clients and the daemon. The problem is that clients create these files in their own *_tmpfs_t domains:

budrys ~ # ls -lZ /dev/shm/pulse-shm-* | sed -e 's/kamila/user_unpriv/g;s/vespian/user_admin/g'
-r--------. 1 user_admin user_admin staff_u:object_r:user_tmpfs_t:s0       67108904 03-24 19:06 /dev/shm/pulse-shm-1439935
-r--------. 1 user_unpriv  user_unpriv  user_u:object_r:user_tmpfs_t:s0        67108904 03-24 17:07 /dev/shm/pulse-shm-1819719118
-r--------. 1 user_unpriv  user_unpriv  user_u:object_r:thunderbird_tmpfs_t:s0 67108904 03-24 17:13 /dev/shm/pulse-shm-18736795
-r--------. 1 user_admin user_admin staff_u:object_r:pulseaudio_tmpfs_t:s0 67108904 03-24 19:32 /dev/shm/pulse-shm-2156878588
-r--------. 1 user_admin user_admin staff_u:object_r:user_tmpfs_t:s0       67108904 03-24 19:06 /dev/shm/pulse-shm-251102762
-r--------. 1 user_unpriv  user_unpriv  user_u:object_r:user_tmpfs_t:s0        67108904 03-24 17:07 /dev/shm/pulse-shm-2870943617
-r--------. 1 user_unpriv  user_unpriv  user_u:object_r:user_tmpfs_t:s0        67108904 03-24 17:07 /dev/shm/pulse-shm-3147715900
-r--------. 1 user_unpriv  user_unpriv  user_u:object_r:mozilla_tmpfs_t:s0     67108904 03-24 17:07 /dev/shm/pulse-shm-3632775165
-r--------. 1 user_admin user_admin staff_u:object_r:mplayer_tmpfs_t:s0    67108904 03-24 19:08 /dev/shm/pulse-shm-428873288
-r--------. 1 user_unpriv  user_unpriv  user_u:object_r:pulseaudio_tmpfs_t:s0  67108904 03-24 19:09 /dev/shm/pulse-shm-726701676
-r--------. 1 user_admin user_admin staff_u:object_r:user_tmpfs_t:s0       67108904 03-24 19:06 /dev/shm/pulse-shm-857495735

And this results in AVC denials to pulseaudio_t and clients domain which cannot exchange data:

type=AVC msg=audit(1363904774.418:2255): avc:  denied  { read } for  pid=9409 comm="plugin-containe" name="pulse-shm-3609188085" dev="tmpfs" ino=326515 scontext=user_u:user_r:mozilla_plugin_t:s0 tcontext=user_u:object_r:thunderbird_tmpfs_t:s0 tclass=file
type=AVC msg=audit(1363904774.418:2255): avc:  denied  { open } for  pid=9409 comm="plugin-containe" path="/dev/shm/pulse-shm-3609188085" dev="tmpfs" ino=326515 scontext=user_u:user_r:mozilla_plugin_t:s0 tcontext=user_u:object_r:thunderbird_tmpfs_t:s0 tclass=file
type=AVC msg=audit(1363904774.428:2258): avc:  denied  { read } for  pid=15550 comm="pulseaudio" name="pulse-shm-3722984048" dev="tmpfs" ino=447258 scontext=user_u:user_r:pulseaudio_t:s0 tcontext=user_u:object_r:mozilla_plugin_tmpfs_t:s0 tclass=file
type=AVC msg=audit(1363904774.428:2258): avc:  denied  { open } for  pid=15550 comm="pulseaudio" path="/dev/shm/pulse-shm-3722984048" dev="tmpfs" ino=447258 scontext=user_u:user_r:pulseaudio_t:s0 tcontext=user_u:object_r:mozilla_plugin_tmpfs_t:s0 tclass=file

Patch attached.



Reproducible: Always

Steps to Reproduce:
1. start pulseaudio in per-user mode
2. try to start few clients (thunderbird, mplayer, etc...)
3. pulseaudio -k to restart the daemon
4. observer the AVC logs

Comment 1 vespian 2013-03-24 19:12:43 UTC

Created attachment 343130 [details]
emerge --info output

Comment 2 vespian 2013-03-24 19:13:36 UTC

Created attachment 343132 [details, diff]
pulseaudio_dev_shm.patch

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2013-04-01 09:34:19 UTC

We had the same problem with alsa a while back. I ended up assigning a generic attribute towards all *_tmpfs_t domains if they have pulseaudio enabled. But this isn't perfect. I'll see if the same approach is valid here or not.

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2013-04-11 15:57:46 UTC

Committed in repo:

#v+
    Fix bug 463006 - Support shared file access for pulseaudio
    
    The pulseaudio setup uses shared files in /dev/shm where all pulseaudio-capable
    domains should have the proper access to. The policy already supports marking
    the tmpfs file types as pulseaudio_tmpfsfile's, but this wasn't set everywhere
    (the bug report mentions mplayer, mozilla, mozilla_plugin, thunderbird).
    
    As this is similar to ALSA, I decided to use the same approach as it is, imo,
    quite manageable:
    
    - created a pulseaudio_client_domain() interface that takes two arguments
      (1.) the client domain itself (which will be marked through attribute
           pulseaudio_client)
      (2.) the tmpfs type (which will be marked through attribute
           pulseaudio_tmpfsfile)
    - give pulseaudio_client_domain() on the given types
    
    With that done, support for all pulseaudio-related matters are automatically
    assigned the moment that the pulseaudio module is loaded.
#v-

In repo, will be in rev 13

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2013-05-06 18:23:34 UTC

In main tree,  ~arch'ed (20130424-r1 release)

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2013-06-16 17:59:44 UTC

Now stable in repo