hi,
ive recently been trying out selinux sandbox but have issues with no audio.
i ran pulseaudio in permissive mode and was able to get audio working plus the sandbox became more responsive eg not crashing after right-clicking etc.
details;
id:uid=1000(chira) gid=1000(chira) groups=1000(chira),10(wheel) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
sealert -l 92f61b75-b707-4957-a49b-9e94bc9de471
SELinux is preventing /usr/bin/pulseaudio from 'read, write' accesses on the file 2F6D656D66643A70756C7365617564696F202864656C6574656429.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that pulseaudio should be allowed read write access on the 2F6D656D66643A70756C7365617564696F202864656C6574656429 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pulseaudio' --raw | audit2allow -M my-pulseaudio
# semodule -X 300 -i my-pulseaudio.pp
Additional Information:
Source Context staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023
Target Context staff_u:object_r:sandbox_web_client_tmpfs_t:s0
Target Objects 2F6D656D66643A70756C7365617564696F202864656C657465
6429 [ file ]
Source pulseaudio
Source Path /usr/bin/pulseaudio
Port <Unknown>
Host localhost.localdomain
Source RPM Packages pulseaudio-11.1-2.fc26.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-260.13.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 4.13.9-200.fc26.x86_64
#1 SMP Mon Oct 23 13:52:45 UTC 2017 x86_64 x86_64
Alert Count 56
First Seen 2017-11-05 14:25:05 EET
Last Seen 2017-11-06 09:35:11 EET
Local ID 92f61b75-b707-4957-a49b-9e94bc9de471
Raw Audit Messages
type=AVC msg=audit(1509953711.629:998099): avc: denied { read write } for pid=2771 comm="pulseaudio" path=2F6D656D66643A70756C7365617564696F202864656C6574656429 dev="tmpfs" ino=1717208 scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1509953711.629:998099): arch=x86_64 syscall=recvmsg success=yes exit=ENOTDIR a0=2b a1=7ffc6fbf7320 a2=0 a3=0 items=0 ppid=1 pid=2771 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=6 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
Hash: pulseaudio,pulseaudio_t,sandbox_web_client_tmpfs_t,file,read,write
:::::::::::::::::::::::::::::::::::::::
question: im i approaching this issue correctly ie should i provide read-write access or are there better ways to deal with this issue.
any info would be greatly appreciated