search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
164 stars 164 forks source link

Fix speech-dispatcherd.service denials #2101

Open gordonwwang opened 5 months ago

gordonwwang commented 5 months ago

When systemctl start speech-dispatcherd.service, the following AVC denial occurs:

  1. speech-dispatcher working directory changes, causing AVC rejection. 

    type=AVC msg=audit(1713942006.045:1230): avc:  denied  { create } for  pid=12672 comm="speech-dispatch" name="speech-dispatcher" scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1713942006.053:1232): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=speech-dispatcherd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'^]UID="root" AUID="unset"

  2. bash command, tcp port connection, and speech dispatcher-modules access are denied.

The audit.log is as follows:

239:type=AVC msg=audit(1714149641.307:1053): avc:  denied  { execute } for  pid=6920 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
240:type=AVC msg=audit(1714149641.308:1054): avc:  denied  { execute } for  pid=6921 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
241:type=AVC msg=audit(1714149641.308:1055): avc:  denied  { name_connect } for  pid=6909 comm="speech-dispatch" dest=59125 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
242:type=AVC msg=audit(1714149641.310:1056): avc:  denied  { execute } for  pid=6922 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
243:type=AVC msg=audit(1714149641.311:1057): avc:  denied  { execute } for  pid=6923 comm="speech-dispatch" name="bash" dev="dm-0" ino=16782846 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
244:type=AVC msg=audit(1714149641.313:1058): avc:  denied  { execute_no_trans } for  pid=6924 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_cicero" dev="dm-0" ino=34460340 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
245:type=AVC msg=audit(1714149641.317:1059): avc:  denied  { execute_no_trans } for  pid=6925 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_espeak-ng" dev="dm-0" ino=34566660 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
246:type=AVC msg=audit(1714149641.321:1060): avc:  denied  { execute_no_trans } for  pid=6926 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_espeak-ng" dev="dm-0" ino=34566660 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0
247:type=AVC msg=audit(1714149641.324:1061): avc:  denied  { execute_no_trans } for  pid=6927 comm="speech-dispatch" path="/usr/lib64/speech-dispatcher-modules/sd_dummy" dev="dm-0" ino=34460341 scontext=system_u:system_r:speech_dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0

Related discussion: https://github.com/fedora-selinux/selinux-policy/issues/2100