udev/sound/alsa: needs to read /var/lib/alsa/asound.state (alsa_var_lib_t)

Tom London selinux at gmail.com
Wed Oct 10 14:48:59 UTC 2007 

On 10/9/07, Tom London <selinux at gmail.com> wrote:
> On 9/25/07, Bill Nottingham <notting at redhat.com> wrote:
> > Tom London (selinux at gmail.com) said:
> > > Running latest rawhide, targeted enforcing.
> > >
> > > Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read
> > > /var/lib/alsa/asound.state.
> >
> > Don't fix this in policy, that's just broken in alsa.
> >
> > You can't save mixer settings there, as /var may not be mounted when
> > this runs. *Sigh*
> >
> > Bill
> >
> More 'sigh':
>
> Booting in permissive mode now produces:
>
> Oct  9 07:08:33 localhost kernel: audit(1191938899.844:3): avc:
> denied  { read } for  pid=1553 comm="alsactl" name="asound.state"
> dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
> Oct  9 07:08:33 localhost kernel: audit(1191938899.844:4): avc:
> denied  { getattr } for  pid=1553 comm="alsactl"
> path="/etc/alsa/asound.state" dev=dm-0 ino=11076536
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
>
> Not 100% sure why this now is reported against alsactl (instead of
> salsa); and shouldn't alsactl be running in 'alsa_t'?
>
> I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"'
> to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if
> that 'broke something'.
>

I've managed to 'make sound come up on boot' by doing the following:

1. Change the 90-alsa.rules entry to:
SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa -l %n"
SUBSYSTEM=="sound", KERNEL=="pcm*"      RUN+="/sbin/salsa"

[Not sure if the changes to the first line or if the second line are
really needed.....]

2. Added the following 'local' policy:

module fixsalsa 1.0;

require {
        type udev_t;
        type alsa_etc_rw_t;
        class file { read getattr };
}

#============= udev_t ==============
allow udev_t alsa_etc_rw_t:file { read getattr };

System now boots without AVCs in either /var/log/messages or
/var/log/audit/audit.log, and sound is properly saved on shutdown and
restored on boot.

I am a bit confused, since /sbin/salsa is alsa_exec_t, so shouldn't
udev_t transition to alsa_t?

tom
-- 
Tom London

More information about the fedora-selinux-list mailing list