Bug 1246912
| Summary: | SELinux is preventing plugin-containe from 'create' accesses on the directory .linphone-web. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ervin <ervindiner> | ||||||
| Component: | selinux-policy | Assignee: | Vit Mojzis <vmojzis> | ||||||
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 22 | CC: | diego.ml, dominick.grift, dwalsh, ervindiner, lvrabec, mgrepl, plautrba | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:2ab478b1aadd4462cce46de381ad1e33d92b88f0c08ec4b662ca1008f1dd0f63 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 1279752 (view as bug list) | Environment: | |||||||
| Last Closed: | 2015-12-17 15:49:59 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1279752 | ||||||||
| Attachments: |
|
||||||||
I don't want to disable Selinux Control on the Firefox Plugins,it can cause security problems. Instead Selinux Policy should be updated. I don't think the Linphone web plugin is a threat to the system. However it must be checked it just by plainly allowing it, it can cause other security issues. Created attachment 1076216 [details]
Linphone web Type Enforcement rule file
Created attachment 1076218 [details]
Linphone web SELinux policy module file
SELinux policy module file to allow Linphone web plugin run.
(In reply to Diego from comment #3) > Created attachment 1076218 [details] > Linphone web SELinux policy module file > > SELinux policy module file to allow Linphone web plugin run. This file is generated by using audit2allow iteratively while encountering AVC denials, not hand writted. More AVCs might be encountered during use. Hello Diego, can modifying that file introduce security vulnerabilities? (In reply to Ervin from comment #1) > I don't want to disable Selinux Control on the Firefox Plugins,it can cause > security problems. > Instead Selinux Policy should be updated. I don't think the Linphone web > plugin is a threat to the system. > However it must be checked it just by plainly allowing it, it can cause > other security issues. This could work with filename transitions rules for ~/.linphone-web. Could you play around cat myplugin.te policy_module(myplugin.te,1.0) require{ type mozilla_home_t; } userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".linphone-web") and run # make -f /usr/share/selinux/devel/Makefile myplugin.pp # semodule -i myplugin.pp You will need to remove ~/.linphone-web to be recreated with a correct labeling. Thank you. I am having other problems with Web Linphone for now. The bug must be directed to Firefox. So I can't test it for now. *** This bug has been marked as a duplicate of bug 1279752 *** |
Description of problem: I installed the linphone web plugin in Firefox. However selinux is preventing the plugin creating access on the directory. linphone-web, not allowing me to sign in with my linphne credentials. SELinux is preventing plugin-containe from 'create' accesses on the directory .linphone-web. ***** Plugin mozplugger (99.1 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall (1.81 confidence) suggests ************************** If you believe that plugin-containe should be allowed create access on the .linphone-web directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects .linphone-web [ dir ] Source plugin-containe Source Path plugin-containe Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.6.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.8-300.fc22.x86_64 #1 SMP Fri Jul 10 21:04:56 UTC 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-07-27 00:22:43 CEST Last Seen 2015-07-27 00:23:01 CEST Local ID da54effe-5222-4ba6-91c2-84ff83a4959b Raw Audit Messages type=AVC msg=audit(1437949381.664:598): avc: denied { create } for pid=3747 comm="plugin-containe" name=".linphone-web" scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 Hash: plugin-containe,mozilla_plugin_t,user_home_dir_t,dir,create Version-Release number of selected component: selinux-policy-3.13.1-128.6.fc22.noarch Additional info: reporter: libreport-2.6.1 hashmarkername: setroubleshoot kernel: 4.0.8-300.fc22.x86_64 type: libreport Potential duplicate: bug 799313