mpd_t is prohibited from interacting with unix sockets (bind_to_address setting in mpd) Reproducible: Always Steps to Reproduce: 1. Install mpd 2. Enable bind_to_address "/var/lib/mpd/socket" 3. Start mpd Actual Results: type=AVC msg=audit(1438541366.559:31679): avc: denied { create } for pid=2948 comm="mpd" name="socket" scontext=system_u:system_r:mpd_t tcontext=system_u:object_r:mpd_var_lib_t tclass=sock_file permissive=0
Is the create permission sufficient? Usually a few more are needed (open, read/write, ...).
It needs at least create and setattr, though I suspect if I pair it with a program that uses the socket it will also need read and write.
I havent used mpd in a while, but I assume this socket is for clients to access the server instead of over tcp. In that case I would prefer to not just add the sock create rules since it'd be useless. At the very least, we'd need to make a new associated interface and probably grant it to the main domains that would need access (i guess user_t and maybe others?)