Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556524 - sec-policy/selinux-mpd: media-sound/mpd fails to create Unix sockets
Summary: sec-policy/selinux-mpd: media-sound/mpd fails to create Unix sockets
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-02 19:04 UTC by Niklas Haas
Modified: 2017-05-28 12:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Niklas Haas 2015-08-02 19:04:56 UTC
mpd_t is prohibited from interacting with unix sockets (bind_to_address setting in mpd)

Reproducible: Always

Steps to Reproduce:
1. Install mpd
2. Enable bind_to_address "/var/lib/mpd/socket"
3. Start mpd
Actual Results:  
type=AVC msg=audit(1438541366.559:31679): avc:  denied  { create } for  pid=2948 comm="mpd" name="socket" scontext=system_u:system_r:mpd_t tcontext=system_u:object_r:mpd_var_lib_t tclass=sock_file permissive=0
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2015-08-16 17:24:46 UTC
Is the create permission sufficient?

Usually a few more are needed (open, read/write, ...).
Comment 2 Niklas Haas 2015-08-16 17:33:24 UTC
It needs at least create and setattr, though I suspect if I pair it with a program that uses the socket it will also need read and write.
Comment 3 Jason Zaman gentoo-dev 2015-09-02 06:55:26 UTC
I havent used mpd in a while, but I assume this socket is for clients to access the server instead of over tcp. In that case I would prefer to not just add the sock create rules since it'd be useless. At the very least, we'd need to make a new associated interface and probably grant it to the main domains that would need access (i guess user_t and maybe others?)