This problem seems to bite some of our hardened users a couple of times a year, so thought I’d blog about it. If you are using grsec and PulseAudio, you must not enable CONFIG_GRKERNSEC_SYSFS_RESTRICT in your kernel, else autodetection of your cards will fail.
PulseAudio’s module-udev-detect needs to access /sys to discover what cards are available on the system, and that kernel option disallows this for anyone but root.
Berkeley Churchill
November 27, 2013 — 3:28 am
Ooof!! Thanks for the heads-up; it would have taken me a while to figure that out.
Is there any way to allow access to /sys for certain users? Or allow only parts of /sys to certain users? I’m hoping there’s a way to get at least some of the benefit of restricting sysfs and get pulseaudio to work at the same time.
Arun
November 27, 2013 — 8:36 am
As far as I know, grsec doesn’t allow this sort of fine-grained access control. You probably need something like AppArmor or SELinux to achieve the same thing.
Alternatively, it seems that grsec has a hardcoded whitelist of allowed paths, so you might be able to get away with expanding that (though I don’t know how easy that would be to expand generically).
ajoyce
January 16, 2016 — 11:43 pm
Thank you
ajoyce
January 16, 2016 — 11:43 pm
Thank you!