SELinux Won't Allow Starting MIDI System

I am working on a project that I have created without MIDI configured (None selected as MIDI system). Now, I have connected a MIDI keyboard and I want to add MIDI connection, so I go to Window->MIDI Setup and then from MIDI System dropdown I select ALSA (Jack 2, 1.9.8 and later) or ALSA (Jack 1, 0.124 and later) and press Start. After a few moments, I get the message Could not connect to Audio/MIDI engine. At the same time I receive some SELINUX errors as follows:


SELinux is preventing gdb from open access on the chr_file /dev/snd/pcmC1D0p.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gdb should be allowed open access on the pcmC1D0p chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdb' --raw | audit2allow -M my-gdb
# semodule -X 300 -i my-gdb.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sound_device_t:s0
Target Objects                /dev/snd/pcmC1D0p [ chr_file ]
Source                        gdb
Source Path                   gdb
Port                          <Unknown>
Host                          codezombie
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.21-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.21-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     codezombie
Platform                      Linux codezombie 5.14.9-200.fc34.x86_64 #1 SMP Thu
                              Sep 30 11:55:35 UTC 2021 x86_64 x86_64
Alert Count                   22
First Seen                    2021-10-05 10:46:17 EDT
Last Seen                     2021-10-06 02:14:48 EDT
Local ID                      4f529be1-286d-4ca8-9b69-c6cc26628268

Raw Audit Messages
type=AVC msg=audit(1633500888.873:497): avc:  denied  { open } for  pid=5829 comm="gdb" path="/dev/snd/pcmC1D0p" dev="devtmpfs" ino=496 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=0


Hash: gdb,abrt_t,sound_device_t,chr_file,open

A screenshot is added.
Screenshot

I have tried running “setenforce 0” and tryng again, but SELinux errors keep popping up as though it’s still running, and starting MIDI keeps failing. Selecting the two legacy options ALSA raw devices and ALSA sequencer does not fail, but MIDI connection is not made and is not working.

What is the security context of that file on your system? Here is what I see on mine, owned by root, part of the audio group, and a sound_device_t object.

$ ls -lhZ /dev/snd/pcmC0D0c
crw-rw----+ 1 root audio system_u:object_r:sound_device_t:s0 116, 11 Oct 6 08:45 /dev/snd/pcmC0D0c

Is your user part of the audio group?

It does seem strange that gdb is trying to open the pcm device, perhaps gdb does not have permission to open audio devices.
Presumably you are running jackd if you select that as part of the MIDI setup, which version are you actually running, and what is the command that was used to start jackd?

1 Like

Hi Chris,

Here’s the output of ls -lhZ on the two files:

crw-rw----+ 1 root audio system_u:object_r:sound_device_t:s0 116, 12 Oct 7 08:58 /dev/snd/pcmC1D0p crw-rw----+ 1 root audio system_u:object_r:sound_device_t:s0 116, 13 Oct 7 08:57 /dev/snd/pcmC1D0c
My user is part of the audio group. I can start Jack, but not the MIDI engine from Ardour.

My version of Ardour is 6.9.0, but I have no idea what command is being used to start Jackd when I press “Start”.
However, I just found something. While Ardour’s dialog was open I tried starting Jack using QJackCtl. It started jack without error and then I pressed start on Ardour’s dialog with the drop down for midi selecting ALSA (Jack 2, 1.9.8 and later). Ardour started without problem. Then, I cannot find MIDI connections inside Ardour. This is weird. It used to be accessible from Input menu for each MIDI track, but I don’t find it there, though I can confirm MIDI has started with Ardour.

Search the internet for command: audit2allow it will let you create a allow-rule from selinux error message. You first start the service that is denied by selinux, this will create a selinux error message in the log. Then run allow2audit to create a allow-rule from the selinux error message.

There might be something else wrong with your setup since: “setenforce 0” disables selinux you should not get any selinux errors after that.

I do not think that will be a useful path. Why would running Ardour cause gdb to attempt to access the audio device? Did Ardour crash? I am not aware that an Ardour crash will automatically start gdb, I thought based on the debug instructions that you have to explicitly connect gdb to a running Ardour process or start Ardour with gdb.

In the audit logs I have looked at the application is typically shown with a full path, so it looks a little strange that the source is listed as “gdb” and not “/usr/bin/gdb”.

Do you have any problems if you use a2jmidid instead of the built in ALSA jack MIDI bridge?