udev/sound/alsa: needs to read /var/lib/alsa/asound.state (alsa_var_lib_t)

Daniel J Walsh dwalsh at redhat.com
Mon Oct 15 19:30:01 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> On 10/9/07, Tom London <selinux at gmail.com> wrote:
>> On 9/25/07, Bill Nottingham <notting at redhat.com> wrote:
>>> Tom London (selinux at gmail.com) said:
>>>> Running latest rawhide, targeted enforcing.
>>>>
>>>> Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read
>>>> /var/lib/alsa/asound.state.
>>> Don't fix this in policy, that's just broken in alsa.
>>>
>>> You can't save mixer settings there, as /var may not be mounted when
>>> this runs. *Sigh*
>>>
>>> Bill
>>>
>> More 'sigh':
>>
>> Booting in permissive mode now produces:
>>
>> Oct  9 07:08:33 localhost kernel: audit(1191938899.844:3): avc:
>> denied  { read } for  pid=1553 comm="alsactl" name="asound.state"
>> dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
>> Oct  9 07:08:33 localhost kernel: audit(1191938899.844:4): avc:
>> denied  { getattr } for  pid=1553 comm="alsactl"
>> path="/etc/alsa/asound.state" dev=dm-0 ino=11076536
>> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
>>
>> Not 100% sure why this now is reported against alsactl (instead of
>> salsa); and shouldn't alsactl be running in 'alsa_t'?
>>
>> I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"'
>> to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if
>> that 'broke something'.
>>
> 
> I've managed to 'make sound come up on boot' by doing the following:
> 
> 1. Change the 90-alsa.rules entry to:
> SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa -l %n"
> SUBSYSTEM=="sound", KERNEL=="pcm*"      RUN+="/sbin/salsa"
> 
> [Not sure if the changes to the first line or if the second line are
> really needed.....]
> 
> 2. Added the following 'local' policy:
> 
> module fixsalsa 1.0;
> 
> require {
>         type udev_t;
>         type alsa_etc_rw_t;
>         class file { read getattr };
> }
> 
> #============= udev_t ==============
> allow udev_t alsa_etc_rw_t:file { read getattr };
> 
> System now boots without AVCs in either /var/log/messages or
> /var/log/audit/audit.log, and sound is properly saved on shutdown and
> restored on boot.
> 
> I am a bit confused, since /sbin/salsa is alsa_exec_t, so shouldn't
> udev_t transition to alsa_t?
> 
> tom
It should now.  policy 3.0.8-22 at least
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHE7+4rlYvE4MpobMRAhclAKCGUn4wXzDfC2WlwtHx1/FRLUpT2ACgl1Dh
22Pf1Lw/ermDF82cg+iLSUk=
=s3kT
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list