View Full Version : SELinux and Alsa

17th October 2007, 04:53 PM
I am getting this error from SELinux

I have tried

[jcress@localhost ~]$ /sbin/restorecon -v asound.state
lstat(asound.state) failed: No such file or directory
[jcress@localhost ~]$

any advice?

SELinux is preventing /sbin/alsactl (alsa_t) "read" to asound.state

Detailed Description
SELinux denied access requested by /sbin/alsactl. It is not expected that
this access is required by /sbin/alsactl and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for asound.state, restorecon -v
asound.state If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context system_u:system_r:alsa_t
Target Context system_u:object_r:etc_runtime_t
Target Objects asound.state [ file ]
Affected RPM Packages alsa-utils-1.0.14-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain #1 SMP
Thu Sep 27 23:10:59 EDT 2007 i686 i686
Alert Count 32
First Seen Sat 06 Oct 2007 10:22:02 PM EDT
Last Seen Wed 17 Oct 2007 09:50:32 AM EDT
Local ID 7e070a32-fdf3-44b0-916d-ac7824c0faaf
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="alsactl" dev=dm-0 egid=0 euid=0
exe="/sbin/alsactl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="asound.state"
pid=3278 scontext=system_u:system_r:alsa_t:s0 sgid=0
subj=system_u:system_r:alsa_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0

17th October 2007, 05:28 PM
I think the first thing I would try is a complete relabel, to do this run


then look at the options it gives it should be pretty self explanitory ( sorry I'm not at my linux box to say exactly what to do )

17th October 2007, 05:41 PM
In root term
touch /.autorelabel

A work around to allow audit (note I don't have this on F8 either so you may need an update or you have some 3rd party repo stuff?)

#grep alsactl /var/log/audit/audit.log | audit2allow -M myalsactlpolicy
#semodule -i myalsactlpolicy.pp