Confined user show policy issue: camera cannot be accessed in Firefox (any confinement affected: user_u, staff_u, sysadm_u), tested with MS Teams & Zoom

[py0xc3]

Video conferencing is not possible once an account is confined: this affects user_u, staff_u, sysadm_u.

I have tested it many times in the recent months with MS Teams and Zoom (in Firefox). It works fine once the confinement is disabled (unconfined_u), and the issue occurs always when any confinement is enabled.

Audio works fine. Only video is affected. But the logs are comprehensible and explain the issue: audit[9916]: AVC avc: denied { read } for pid=<firefox> comm="VideoCapture" name="video*" dev="devtmpfs" ino=970 (video* = video0, video1, video2, video3 = 4 entries).

MS Teams and Zoom behave the same. The logs are mostly the same, with the exception that the two differ in how often they try to get access to video.

I have provoked related logs with F39 KDE Spin in February 2024 (both for Zoom and MS Teams), and I just re-tried with F40 KDE Spin (MS Teams only). The issue has not changed in F40.

The actual test on F39 KDE:

• I was testing Zoom at about 22:26:30, 20 Feb
• I was testing MS Teams at about 22:29:40, 20 Feb

Related ausearch extract: seissuevideo_ausearch_f39
Related journalctl extract: seissuevideo_journalctl_f39

Just to have an immediate verification that F40 KDE Spin remains affected, here is a journalctl extract of F40 I just made, tested only with MS Teams: seissuevideo_journalctl_f40 (the behavior of MS Teams has not changed on F40). I expect that Zoom has not changed on F40 as well. I assume that other tools for browser video conferencing would behave the same, too. I have not tested separately on Workstation/Gnome, but I don't see a reason to assume that Firefox & video conferencing would behave different there. I have not tested video conferencing tools without browser.

[py0xc3]

@zpytela I think to have read that you also use KDE with confined users? I was wondering if you also experience this problem? Video conferences in Firefox and such? I can reproduce it on new installations, too. I'm wondering if that is really inherited in all our installations or if I provoke it somehow on mine (because other use KDE & confinement too, and I assumed everyone uses video conferences from time to time?).

The same for the usb storage issue in #2019 , if you also work in a confined environment, how do you within the GUI from the confined account mount USB storages from other people that usually don't have properly set labels? (I will experiment if chcon -t user_home_dir_t /run/media/username makes a difference later, but I guess no in most Linux file systems if they come already with any labeling - I'll report in #2019 about it)

Btw, let me know if you prefer to have things in bugzilla rather than here.

[zpytela]

@py0xc3 I use KDE as the staff_u user and Meet in firefox or chrome works for me if that's what you are asking.

[py0xc3]

@zpytela I could now verify with Google Meets in Firefox. Just like MS Teams and Zoom, the camera cannot be accessed when the user account is confined with sysadm_u. F41 KDE Spin, up to date as of the test day (5.1.25).

I have not done any SELinux modifications on the two systems I could test on (as it comes with the default updates), no external kernel modules or so, and except mesa-va-drivers-freeworld+mesa-vdpau-drivers-freeworld (rpmfusion-free is contained with includepkgs and the two packages, which I also verified to not have conflicts at the moment), I have only the default repos of Fedora enabled.

It might be noted that the earlier test above (of Zoom and Teams) not contain anything from rpmfusion at all, only default repos (I cannot imagine that mesa-va/-vdpau have anything to do with this issue anyway).

I am not sure if you have done any modifications beyond the defaults on your system? Or do you use an app? Otherwise, the issue might be related to any difference of the very Fedora release we used to install? There are configurations that ain't touched by release upgrades. I assume one of the two installations has been setup with F37 (based on the delivery date of the hardware), the other any time later. But I cannot imagine this is linked.

Below are the related extracts of the 5.1.25 log at the very times I tried to get the camera in Google Meets in Firefox (two attempts):
Attempt 1)

Jan 05 15:07:11 fedora systemd[1]: dbus-:[email protected]: Consumed 1.280s CPU time, 44.3M memory peak.
Jan 05 15:07:11 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@10 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 05 15:07:11 fedora systemd[1]: dbus-:[email protected]: Deactivated successfully.
Jan 05 15:07:02 fedora setroubleshoot[22666]: SELinux is preventing rtkit-daemon from using the setsched access on a process.
Jan 05 15:07:02 fedora setroubleshoot[22666]: SELinux is preventing rtkit-daemon from using the setsched access on a process. For complete SELinux messages run: sealert -l df6eee8e-ef52-4fa4-b6eb-c378ba523342
Jan 05 15:07:02 fedora kernel: snd_pci_acp6x 0000:04:00.5: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0016 address=0xfffffffffffffffc flags=0x0030]
Jan 05 15:07:01 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@10 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 05 15:07:01 fedora systemd[1]: Started dbus-:[email protected].
Jan 05 15:07:00 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 05 15:07:00 fedora systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Jan 05 15:07:00 fedora systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Jan 05 15:06:58 fedora rtkit-daemon[1822]: Failed to make thread 22617 RT: Permission denied
Jan 05 15:06:58 fedora audit[1822]: AVC avc:  denied  { setsched } for  pid=1822 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0

Attempt 2)

Jan 05 15:09:27 fedora setroubleshoot[23410]: SELinux is preventing rtkit-daemon from using the setsched access on a process.
Jan 05 15:09:27 fedora setroubleshoot[23410]: SELinux is preventing rtkit-daemon from using the setsched access on a process. For complete SELinux messages run: sealert -l df6eee8e-ef52-4fa4-b6eb-c378ba523342
Jan 05 15:09:26 fedora kernel: snd_pci_acp6x 0000:04:00.5: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0016 address=0xfffffffffffffffc flags=0x0030]
Jan 05 15:09:26 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@11 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 05 15:09:26 fedora systemd[1]: Started dbus-:[email protected].
Jan 05 15:09:25 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 05 15:09:25 fedora systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Jan 05 15:09:25 fedora systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Jan 05 15:09:24 fedora audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.kde.powerdevil.backlighthelper@25 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 05 15:09:24 fedora systemd[1]: dbus-:[email protected]: Deactivated successfully.
Jan 05 15:09:23 fedora rtkit-daemon[1822]: Failed to make thread 23378 RT: Permission denied
Jan 05 15:09:23 fedora audit[1822]: AVC avc:  denied  { setsched } for  pid=1822 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0