Confined user show policy issue: camera cannot be accessed in Firefox (any confinement affected: user_u, staff_u, sysadm_u), tested with MS Teams & Zoom

[py0xc3]

Video conferencing is not possible once an account is confined: this affects user_u, staff_u, sysadm_u.

I have tested it many times in the recent months with MS Teams and Zoom (in Firefox). It works fine once the confinement is disabled (unconfined_u), and the issue occurs always when any confinement is enabled.

Audio works fine. Only video is affected. But the logs are comprehensible and explain the issue: audit[9916]: AVC avc: denied { read } for pid=<firefox> comm="VideoCapture" name="video*" dev="devtmpfs" ino=970 (video* = video0, video1, video2, video3 = 4 entries).

MS Teams and Zoom behave the same. The logs are mostly the same, with the exception that the two differ in how often they try to get access to video.

I have provoked related logs with F39 KDE Spin in February 2024 (both for Zoom and MS Teams), and I just re-tried with F40 KDE Spin (MS Teams only). The issue has not changed in F40.

The actual test on F39 KDE:

• I was testing Zoom at about 22:26:30, 20 Feb
• I was testing MS Teams at about 22:29:40, 20 Feb

Related ausearch extract: seissuevideo_ausearch_f39
Related journalctl extract: seissuevideo_journalctl_f39

Just to have an immediate verification that F40 KDE Spin remains affected, here is a journalctl extract of F40 I just made, tested only with MS Teams: seissuevideo_journalctl_f40 (the behavior of MS Teams has not changed on F40). I expect that Zoom has not changed on F40 as well. I assume that other tools for browser video conferencing would behave the same, too. I have not tested separately on Workstation/Gnome, but I don't see a reason to assume that Firefox & video conferencing would behave different there. I have not tested video conferencing tools without browser.

[py0xc3]

@zpytela I think to have read that you also use KDE with confined users? I was wondering if you also experience this problem? Video conferences in Firefox and such? I can reproduce it on new installations, too. I'm wondering if that is really inherited in all our installations or if I provoke it somehow on mine (because other use KDE & confinement too, and I assumed everyone uses video conferences from time to time?).

The same for the usb storage issue in #2019 , if you also work in a confined environment, how do you within the GUI from the confined account mount USB storages from other people that usually don't have properly set labels? (I will experiment if chcon -t user_home_dir_t /run/media/username makes a difference later, but I guess no in most Linux file systems if they come already with any labeling - I'll report in #2019 about it)

Btw, let me know if you prefer to have things in bugzilla rather than here.

[zpytela]

@py0xc3 I use KDE as the staff_u user and Meet in firefox or chrome works for me if that's what you are asking.