search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
168 stars 169 forks source link

speech-dispatcherd.service startup failure (AVC denied) on all fedora #2100

Open gordonwwang opened 6 months ago

gordonwwang commented 6 months ago

When systemctl start speech-dispatcherd.service, the following AVC denial occurs:

1. speech-dispatcher working directory changes, causing AVC rejection.

type=AVC msg=audit(1713942006.045:1230): avc:  denied  { create } for  pid=12672 comm="speech-dispatch" name="speech-dispatcher" scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1713942006.053:1232): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=speech-dispatcherd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'^]UID="root" AUID="unset"

Ten years ago, the commit 38d0c7f defined the working directory as ~/.speech-dispatcher. According to the latest speech-dispatcher doc, the latest working directory is ~/.cache/speech-dispatcher.

So I think this needs to be corrected. Specific modifications are as follows:

After repairing the above denials, move on. A new permission issue occurs:

2. bash command, tcp port connection, and speech dispatcher-modules access are denied.

The audit.log is as follows:

239:type=AVC msg=audit(1714149641.307:1053): avc:  denied  { execute } for  pid=6920 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
240:type=AVC msg=audit(1714149641.308:1054): avc:  denied  { execute } for  pid=6921 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
241:type=AVC msg=audit(1714149641.308:1055): avc:  denied  { name_connect } for  pid=6909 comm="speech-dispatch" dest=59125 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
242:type=AVC msg=audit(1714149641.310:1056): avc:  denied  { execute } for  pid=6922 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
243:type=AVC msg=audit(1714149641.311:1057): avc:  denied  { execute } for  pid=6923 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
244:type=AVC msg=audit(1714149641.313:1058): avc:  denied  { execute_no_trans } for  pid=6924 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_cicero" dev="dm-0" ino=34460340 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
245:type=AVC msg=audit(1714149641.317:1059): avc:  denied  { execute_no_trans } for  pid=6925 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_espeak-ng" dev="dm-0" ino=34566660 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
246:type=AVC msg=audit(1714149641.321:1060): avc:  denied  { execute_no_trans } for  pid=6926 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_espeak-ng" dev="dm-0" ino=34566660 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
247:type=AVC msg=audit(1714149641.324:1061): avc:  denied  { execute_no_trans } for  pid=6927 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_dummy" dev="dm-0" ino=34460341 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0

2.1 Running bash

speech-dispatcher tries the following call to execve:

type say > /dev/null 2>&1
type epos-say > /dev/null 2>&1。

Therefore, shell_exec_t needs to be allowed

2.2 Connecting tcp Ports

The speech-dispatcher service attempted to connect to target port 59125, but was denied by the SELinux policy. Therefore, you need to grant the speech-dispatcher permission to access the port. But I see the following statements in speech-dispatcher.te: : corenet_tcp_connect_pdps_port(speech_dispatcher_t) . I'm not sure whether you recommend pdps_port for speech_dispatcher.

Therefore, I have some doubts about this modification, so I can modify it according to the discussion with you.

2.3 Run files in speech-dispatcher-modules

Speech-dispatcher-modules is Speech-Dispatcher's own module file that provides support for a variety of speech synthesizers. speech-dispatcher-modules are defined as lib_t, and it might not be friendly to allow speech_dispatcher_t lib_t ... as a policy. Therefore, I think it is possible to define speech-dispatcher-modules as speech_dispatcher_modules_t in order to minimize permissions.

If you have different opinions about the type names here, we can discuss them.

3. Look forward to discussion

This is the SELinux rejection I found when using speech-dispatcherd.service. I have verified the feasibility of these fixes on my computer. For specific fixes, please refer to this PR: https://github.com/fedora-selinux/selinux-policy/pull/2101

I am a developer who is very interested in selinux, so I look forward to discussing with maintainer whether these selinux-policy fixes are feasible. @zpytela

gordonwwang commented 6 months ago

Is there anyone who can handle this problem? Because this affects rawhide/fc40/fc39, etc., all the fedora images I downloaded. I had to set SELinux to permissive/disable, which was not a long-term solution.

All I care about is whether you can fix the problem. It doesn't matter whether my commits are accepted or not

gordonwwang commented 3 months ago

@zpytela Could fedora consider fixing this issue? I don't want to disable SELinux in fedora 40