Summary: | media-sound/pulseaudio - /dev/shm/pulse-shm-*files denials | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | vespian <gentooorg> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r1 | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
emerge --info output
pulseaudio_dev_shm.patch |
Description
vespian
2013-03-24 19:11:43 UTC
Created attachment 343130 [details]
emerge --info output
Created attachment 343132 [details, diff]
pulseaudio_dev_shm.patch
We had the same problem with alsa a while back. I ended up assigning a generic attribute towards all *_tmpfs_t domains if they have pulseaudio enabled. But this isn't perfect. I'll see if the same approach is valid here or not. Committed in repo: #v+ Fix bug 463006 - Support shared file access for pulseaudio The pulseaudio setup uses shared files in /dev/shm where all pulseaudio-capable domains should have the proper access to. The policy already supports marking the tmpfs file types as pulseaudio_tmpfsfile's, but this wasn't set everywhere (the bug report mentions mplayer, mozilla, mozilla_plugin, thunderbird). As this is similar to ALSA, I decided to use the same approach as it is, imo, quite manageable: - created a pulseaudio_client_domain() interface that takes two arguments (1.) the client domain itself (which will be marked through attribute pulseaudio_client) (2.) the tmpfs type (which will be marked through attribute pulseaudio_tmpfsfile) - give pulseaudio_client_domain() on the given types With that done, support for all pulseaudio-related matters are automatically assigned the moment that the pulseaudio module is loaded. #v- In repo, will be in rev 13 In main tree, ~arch'ed (20130424-r1 release) Now stable in repo |