[RHEL-70460] SELinux prevents "alsactl monitor" command from watching /dev/snd/ - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- known_issue_100

Regression:
No
Severity:
Low
Epic Link:
SELINUX-3824

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:

Automated

Experience:
Architecture:

x86_64

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

found during testing of the alsactl utility

What is the impact of this issue to you?

no impact except for the SELinux denial that is logged

Please provide the package NVR for which the bug is seen:

alsa-lib-1.2.12-3.el10.x86_64
alsa-ucm-1.2.12-3.el10.noarch
alsa-utils-1.2.12-2.el10.x86_64
selinux-policy-40.13.16-1.el10.noarch
selinux-policy-devel-40.13.16-1.el10.noarch
selinux-policy-doc-40.13.16-1.el10.noarch
selinux-policy-mls-40.13.16-1.el10.noarch
selinux-policy-sandbox-40.13.16-1.el10.noarch
selinux-policy-targeted-40.13.16-1.el10.noarch

How reproducible is this bug?:

Steps to reproduce

get a RHEL-10 machine (targeted policy is active)
runcon system_u:system_r:initrc_t:s0 bash -c 'alsactl monitor'
search for SELinux denials

Expected results

no SELinux denials

Actual results

----
type=PROCTITLE msg=audit(12/09/24 14:00:25.789:216) : proctitle=alsactl monitor 
type=PATH msg=audit(12/09/24 14:00:25.789:216) : item=0 name=/dev/snd/ inode=387 dev=00:06 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/09/24 14:00:25.789:216) : cwd=/root 
type=SYSCALL msg=audit(12/09/24 14:00:25.789:216) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x5 a1=0x55c20da2525b a2=0x100 a3=0x0 items=1 ppid=2773 pid=3132 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=alsactl exe=/usr/sbin/alsactl subj=system_u:system_r:alsa_t:s0 key=(null) 
type=AVC msg=audit(12/09/24 14:00:25.789:216) : avc:  denied  { watch } for  pid=3132 comm=alsactl path=/dev/snd dev="devtmpfs" ino=387 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=0 
----

is related to

RHEL-61472 alsa fs attr selinux denial

Release Pending

links to

TCMS Test Case 285731

Assignee:: Zdenek Pytela

Reporter:: Milos Malik

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/12/09 1:26 PM

Updated:: 2025/03/13 4:26 PM

Stale Date:: 2025/12/08

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide