mpd is unable to play audio via PulseAudio Reproducible: Always Steps to Reproduce: 1. Install mpd 2. Enable PulseAudio output in mpd.conf (type "pulse") 3. Start mpd and try to play back audio Actual Results: type=AVC msg=audit(1438542397.578:41803): avc: denied { getattr } for pid=3036 comm="output:PulseAud" path="/tmp/pulse-41hVSyvkKCJe" dev="tmpfs" ino=193762 scontext=system_u:system_r:mpd_t tcontext=staff_u:object_r:user_tmp_t tclass=dir permissive=0
Is that a system mpd.conf, or the one of your user? Do you start mpd as a system service or as user? If you start it as a user do you have write access to the relevant files/directories? (see your other issue). And your complete mpd config would help, too. I start mpd as a user and use pulseaudio without any issues.
It's a system-wide mpd.conf; I *start* it system-wide via rc-service, but it drops privs to my user account. (I have “user nand” in my system-wide mpd.conf) Complete mpd config: https://github.com/haasn/gentoo-conf/blob/nanodesu/etc/mpd.conf It has access to /y/media/music, but not to /tmp/pulse-*, as evidenced by this command: {{{ $ sesearch -AC -s mpd_t -t user_tmp_t -p getattr -c dir $ }}}
After some further testing, I noticed that if I start mpd in permissive mode and successfully start playback at least once, I can then turn off permissive mode and it continues working. It seems like once it successfully reads the /tmp/pulse-* files once, it keeps that data in memory. Furthermore, if pulse is *not* already running, I get weirder behavior: 1. I get a failure because mpd tries writing to /var/log/mpd.log from within pulseaudio_t. 2. If I disable logging in order to bypass this, it successfully creates the /tmp/pulse-* directory but as mpd_t, and so it ends up labeled as mpd_tmp_t. PulseAudio itself then fails reading this directory. The only way I can get it to work, currently: 1. Spawn PulseAudio separately 2. Start mpd in permissive mode and have it play back audio at least once 3. Disable permissive mode
Right now the SELinux policy for pulseaudio does not use regular temporary files/directories. I don't use it myself so I don't know if this was never needed (and is recently added) or if there is a setting that is able to deal with this differently. We should try to figure out which process is creating the /tmp/pulse-.* directory. If it is pulseaudio, then it should be running in the pulseaudio domain (and the file should be pulseaudio_tmp_t). We could then allow the pulseaudio clients to read this information.
userdom_list_user_tmp(pulseaudio_client) added in commit 74d30592c6783e
(In reply to Sven Vermeulen from comment #4) > Right now the SELinux policy for pulseaudio does not use regular temporary > files/directories. I don't use it myself so I don't know if this was never > needed (and is recently added) or if there is a setting that is able to deal > with this differently. > > We should try to figure out which process is creating the /tmp/pulse-.* > directory. If it is pulseaudio, then it should be running in the pulseaudio > domain (and the file should be pulseaudio_tmp_t). We could then allow the > pulseaudio clients to read this information. I looked through the pulse source. It looks like the lib creates the dir first so its made by whatever process starts pulse. It looks like it is made before forking off the pulse server, so it is not actually created by pulseaudio_t. The longer term solution is to get XDG_RUNTIME_DIR working so that pulse will put its dir in /run/user/$USER/pulse/ then we can use a named filetrans to label it properly. I filed an issue with consolekit2 to implement $XDG_RUNTIME_DIR https://github.com/pulseaudio/pulseaudio/blob/1db12f50106735f021202b51bc62e1bfc16260f1/src/pulsecore/core-util.c#L1839
r9 is in ~arch
r9 stable
