py0xc3
commented
1 month ago @zpytela I think to have read that you also use KDE with confined users? I was wondering if you also experience this problem? Video conferences in Firefox and such? I can reproduce it on new installations, too. I'm wondering if that is really inherited in all our installations or if I provoke it somehow on mine (because other use KDE & confinement too, and I assumed everyone uses video conferences from time to time?).
The same for the usb storage issue in #2019 , if you also work in a confined environment, how do you within the GUI from the confined account mount USB storages from other people that usually don't have properly set labels? (I will experiment if chcon -t user_home_dir_t /run/media/username makes a difference later, but I guess no in most Linux file systems if they come already with any labeling - I'll report in #2019 about it)
Btw, let me know if you prefer to have things in bugzilla rather than here.
zpytela
Video conferencing is not possible once an account is confined: this affects user_u, staff_u, sysadm_u.
I have tested it many times in the recent months with MS Teams and Zoom (in Firefox). It works fine once the confinement is disabled (unconfined_u), and the issue occurs always when any confinement is enabled.
Audio works fine. Only video is affected. But the logs are comprehensible and explain the issue:
audit[9916]: AVC avc: denied { read } for pid=<firefox> comm="VideoCapture" name="video*" dev="devtmpfs" ino=970(video* = video0, video1, video2, video3 = 4 entries).MS Teams and Zoom behave the same. The logs are mostly the same, with the exception that the two differ in how often they try to get access to video.
I have provoked related logs with F39 KDE Spin in February 2024 (both for Zoom and MS Teams), and I just re-tried with F40 KDE Spin (MS Teams only). The issue has not changed in F40.
The actual test on F39 KDE:
Related ausearch extract: seissuevideo_ausearch_f39 Related journalctl extract: seissuevideo_journalctl_f39
Just to have an immediate verification that F40 KDE Spin remains affected, here is a journalctl extract of F40 I just made, tested only with MS Teams: seissuevideo_journalctl_f40 (the behavior of MS Teams has not changed on F40). I expect that Zoom has not changed on F40 as well. I assume that other tools for browser video conferencing would behave the same, too. I have not tested separately on Workstation/Gnome, but I don't see a reason to assume that Firefox & video conferencing would behave different there. I have not tested video conferencing tools without browser.