Bug 1403553

Summary: SELinux is preventing 57656220436F6E74656E74 from sendto access on the unix_dgram_socket
Product: [Fedora] Fedora Reporter: JayJayJazz <jayjayjazz>
Component: selinux-policyAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 25CC: dominick.grift, dwalsh, gecko-bugs-nobody, jhorak, lvrabec, mgrepl, pjasicek, plautrba, pmoore, ssekidde
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-28 09:50:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description JayJayJazz 2016-12-11 10:55:10 UTC 
Description of problem:
Received the following SELinux alert while browsing with Firefox 50.0.2

Version-Release number of selected component (if applicable):
Fedora 25
Firefox 50.0.2
selinux-policy-3.13.1-225.1.fc25.noarch
Kernel 4.8.12-300.fc25.x86_64

How reproducible:


Steps to Reproduce:
1. start Firefox
2. open chillmo.com
3. open rpmfusion.org

Actual results:
The SELinux alert pops-up.

Expected results:
I think it is good that the alert prevented the "sendto". But I´m unsure what this means.

Additional info:
All 3 packaged extensions are disabled in Firefox. No other Addons (like Flash) are installed.
I also think that the 2 pages I opened are trustworthy (of course as trustworthy as possible in these days).
Comment 1 JayJayJazz 2016-12-11 10:56:26 UTC 
SELinux is preventing 57656220436F6E74656E74 from sendto access on the unix_dgram_socket 006E7669646961653338343162396400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.

*****  Plugin mozplugger (99.1 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall (1.81 confidence) suggests   **************************

If you believe that 57656220436F6E74656E74 should be allowed sendto access on the 006E7669646961653338343162396400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '57656220436F6E74656E74' --raw | audit2allow -M my-57656220436F6E74656E74
# semodule -X 300 -i my-57656220436F6E74656E74.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023
Target Objects                006E7669646961653338343162396400000000000000000000
                              00000000000000000000000000000000000000000000000000
                              0000000000000000000000000000 [ unix_dgram_socket ]
Source                        57656220436F6E74656E74
Source Path                   57656220436F6E74656E74
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.1.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.8.12-300.fc25.x86_64
                              #1 SMP Fri Dec 2 17:52:11 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-12-11 11:27:55 CET
Last Seen                     2016-12-11 11:27:55 CET
Local ID                      02da41fc-b8bb-45dd-a515-1e05a6008925

Raw Audit Messages
type=AVC msg=audit(1481452075.314:261): avc:  denied  { sendto } for  pid=2868 comm=57656220436F6E74656E74 path=006E7669646961653338343162396400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0


Hash: 57656220436F6E74656E74,mozilla_plugin_t,xserver_t,unix_dgram_socket,sendto
Comment 2 JayJayJazz 2016-12-11 10:57:14 UTC 
Application Basics
------------------

Name: Firefox
Version: 50.0.2
Build ID: 20161130084405
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
OS: Linux 4.8.12-300.fc25.x86_64
Multiprocess Windows: 0/1 (Disabled)
Safe Mode: false

Extensions
----------

Name: Multi-process staged rollout
Version: 1.5
Enabled: true
ID: e10srollout

Name: Pocket
Version: 1.0.5
Enabled: true
ID: firefox

Name: Web Compat
Version: 1.0
Enabled: true
ID: webcompat

Graphics
--------

Features
Compositing: Basic
Asynchronous Pan/Zoom: none
WebGL Renderer: NVIDIA Corporation -- Quadro 3000M/PCIe/SSE2
WebGL2 Renderer: (no info)
Hardware H264 Decoding: No
Audio Backend: pulse
GPU #1
Active: Yes
Description: NVIDIA Corporation -- Quadro 3000M/PCIe/SSE2
Vendor ID: NVIDIA Corporation
Device ID: Quadro 3000M/PCIe/SSE2
Driver Version: 4.5.0 NVIDIA 375.20

Diagnostics
AzureCanvasAccelerated: 0
AzureCanvasBackend: skia
AzureContentBackend: cairo
AzureFallbackCanvasBackend: none
CairoUseXRender: 0
Decision Log
HW_COMPOSITING:
blocked by default: Acceleration blocked by platform
OPENGL_COMPOSITING:
unavailable by default: Hardware compositing is disabled




Important Modified Preferences
------------------------------

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.filesystem_reported: 1
browser.cache.disk.smart_size.first_run: false
browser.cache.frecency_experiment: 4
browser.download.importedFromSqlite: true
browser.places.smartBookmarksVersion: 8
browser.startup.homepage_override.buildID: 20161130084405
browser.startup.homepage_override.mstone: 50.0.2
browser.tabs.warnOnClose: false
browser.urlbar.daysBeforeHidingSuggestionsPrompt: 2
browser.urlbar.lastSuggestionsPromptDate: 20161203
browser.urlbar.userMadeSearchSuggestionsChoice: true
extensions.lastAppVersion: 50.0.2
media.gmp-manager.buildID: 20161130084405
media.gmp-manager.lastCheck: 1481450755
media.gmp.storage.version.observed: 1
network.cookie.cookieBehavior: 1
network.cookie.lifetimePolicy: 2
network.cookie.prefsMigrated: true
network.predictor.cleaned-up: true
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
plugin.state.libgnome-shell-browser-plugin: 0
plugin.state.librhythmbox-itms-detection-plugin: 0
privacy.clearOnShutdown.offlineApps: true
privacy.clearOnShutdown.siteSettings: true
privacy.donottrackheader.enabled: true
privacy.sanitize.sanitizeOnShutdown: true
privacy.trackingprotection.enabled: true
privacy.trackingprotection.introCount: 20
services.sync.declinedEngines:

Important Locked Preferences
----------------------------

Places Database
---------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.13.1
Version in use: 4.13.1

NSS
Expected minimum version: 3.27
Version in use: 3.27

NSSSMIME
Expected minimum version: 3.27
Version in use: 3.27

NSSSSL
Expected minimum version: 3.27
Version in use: 3.27

NSSUTIL
Expected minimum version: 3.27
Version in use: 3.27

Experimental Features
---------------------

Sandbox
-------

Seccomp-BPF (System Call Filtering): true
Seccomp Thread Synchronization: true
User Namespaces: true
Media Plugin Sandboxing: true
Comment 3 JayJayJazz 2016-12-11 11:15:39 UTC 
Switched to SELinux Team.

It also might be connected to:
https://bugzilla.redhat.com/show_bug.cgi?id=1369627
Comment 4 JayJayJazz 2016-12-11 12:27:46 UTC 
Added two other Bug reports. My alert looks a little bit like the one reported in 1316313 and 1271401. Could it be related to the nvidia graphics driver? I´m using 370.20 from rpmfusion repo.

Do I understand it correctly that the target should be the xserver?

It is still puzzling me, why the issuer should be "mozilla_plugin". None is enabled...
Comment 5 JayJayJazz 2017-01-28 09:50:39 UTC 
Since there is some time passed, we are already at Firefox 51.0.1 and a newer version of the SELinux policy. So I will close this one.