Bug 1299697

Summary: SELinux prevents firefox from showing installed gnome shell extensions when viewing extensions.gnome.org
Product: [Fedora] Fedora Reporter: Garrett Mitchener <garrett.mitchener>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 23CC: beaaegicfqmq6rykaqaakty3lqcg6btv, dominick.grift, dwalsh, garrett.mitchener, lvrabec, marcvanwageningen, mgrepl, plautrba, renault
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-29 13:33:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Garrett Mitchener 2016-01-19 02:48:50 UTC 
Description of problem:

You can install GNOME shell extensions through firefox. However, SELinux seems to be preventing the firefox plugin that does this from communicating with GNOME shell.


Version-Release number of selected component (if applicable):

firefox-43.0.3-1.fc23.i686
gnome-shell-3.18.3-1.fc23.i686
selinux-policy-3.13.1-158.fc23.noarch
selinux-policy-targeted-3.13.1-158.fc23.noarch


How reproducible:

Very consistent


Steps to Reproduce:

Log into GNOME

Open firefox and go to https://extensions.gnome.org/local/

It should show a list of installed gnome shell extensions

Instead, the page is mostly empty.

However, if I go to a terminal and run `setenforce permissive` as root, then reload the web page, my installed extensions show up.


Additional info:

I got these messages when running firefox in a terminal, with SELinux still in enforcing mode:


(plugin-container:14564): GnomeShellBrowserPlugin-WARNING **: Failed to grab shell version.

(plugin-container:14564): GnomeShellBrowserPlugin-WARNING **: Failed to retrieve extension list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.149" (uid=1000 pid=14564 comm="/usr/lib/firefox/plugin-container /usr/lib/mozilla") interface="org.gnome.Shell.Extensions" member="ListExtensions" error name="(unset)" requested_reply="0" destination=":1.33" (uid=1000 pid=5618 comm="/usr/bin/gnome-shell ")

That's what led me to try permissive mode.
Comment 1 Lukas Vrabec 2016-01-20 09:39:19 UTC 
HI, 
Could you reproduce this issue and after that attach:
#ausearch -m AVC -ts recent 

Thank you.
Comment 2 Phil 2016-01-20 13:55:34 UTC 
Hi,

this might be a duplicate of 1299219.

Regards,
Phil
Comment 3 Miroslav Grepl 2016-01-21 08:31:18 UTC 
Yes, what does

ausearch -m user_avc -ts recent

?
Comment 4 Phil 2016-01-21 08:46:40 UTC 
it says "<no matches>".
Comment 5 Garrett Mitchener 2016-01-21 14:02:59 UTC 
I also get <no matches> from both

ausearch -m AVC -ts recent
ausearch -m user_avc -ts recent
Comment 6 Garrett Mitchener 2016-01-21 14:06:10 UTC 
Looking through the output of journalctl, there's this line:

Jan 21 08:53:27 grograman evolution.desktop[12039]: (plugin-container:2284): GnomeShellBrowserPlugin-WARNING **: Failed to retrieve extension list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.186" (uid=1000 pid=2284 comm="/usr/lib64/firefox/plugin-container /usr/lib64/moz") interface="org.gnome.Shell.Extensions" member="ListExtensions" error name="(unset)" requested_reply="0" destination=":1.34" (uid=1000 pid=3777 comm="/usr/bin/gnome-shell ")
Comment 7 Couret Charles-Antoine 2016-01-27 12:51:15 UTC 
Resolved for me after updates.
Comment 8 marcvw 2016-01-28 08:06:21 UTC 
Also fixed for me on 3 hosts, although without updates :)
Comment 9 Miroslav Grepl 2016-01-29 13:33:38 UTC 
Than you.