| Summary: | sec-policy/selinux-mpd: media-sound/mpd fails to create Unix sockets | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Niklas Haas <gentoo> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | UNCONFIRMED --- | ||
| Severity: | normal | CC: | arthur, nex+b-g-o, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Is the create permission sufficient? Usually a few more are needed (open, read/write, ...). It needs at least create and setattr, though I suspect if I pair it with a program that uses the socket it will also need read and write. I havent used mpd in a while, but I assume this socket is for clients to access the server instead of over tcp. In that case I would prefer to not just add the sock create rules since it'd be useless. At the very least, we'd need to make a new associated interface and probably grant it to the main domains that would need access (i guess user_t and maybe others?) |
mpd_t is prohibited from interacting with unix sockets (bind_to_address setting in mpd) Reproducible: Always Steps to Reproduce: 1. Install mpd 2. Enable bind_to_address "/var/lib/mpd/socket" 3. Start mpd Actual Results: type=AVC msg=audit(1438541366.559:31679): avc: denied { create } for pid=2948 comm="mpd" name="socket" scontext=system_u:system_r:mpd_t tcontext=system_u:object_r:mpd_var_lib_t tclass=sock_file permissive=0