Bug 1462707
| Summary: | firefox content process crashes under ThinLinc | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Pierre Ossman <ossman> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-10-12 12:19:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Pierre Ossman
2017-06-19 11:24:21 UTC
Pierre, thinlinc_user_t SELinux domain is not part of RHEL or Fedora distribution policy. These allow rules should be fixed in thinlinc SELinux security module. Closing this BZ as CANTFIX. Well, we don't want to allow plugins free reign without a bit more understanding of things. Like: a) Why is plugin-container used for content processes on RHEL, but not Fedora? b) Why is it running as unconfined_t on RHEL 6 but not RHEL 7? If it's okay for 6 then can't you do the same for 7? I can remove ThinLinc from the equation, making this more general. Any scenario where $XAUTHORITY is somewhere uncommon tends to break. E.g. with NX:
$ XAUTHORITY=/usr/NX/home/nx/.Xauthority firefox
Leads to:
> type=AVC msg=audit(1497965378.813:547): avc: denied { search } for pid=6843 comm="plugin-containe" name="home" dev="dm-0" ino=67767068 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nx_server_var_lib_t:s0 tclass=dir
SELinux policy for both RHEL-6 and RHEL-7 defines a boolean called unconfined_mozilla_plugin_transition, which can influence whether the transition to mozilla_plugin_t happens. Ah, indeed. And the default seems to be different between RHEL 6 and RHEL 7 which explains why RHEL 6 works and RHEL 7 doesn't. So this could happen on some RHEL 6 systems as well I guess. Wouldn't it be reasonable to just allow 'search' on all dirs for mozilla_plugin_t? Requiring the Xauthority file to be tagged xauth_home_t is fine, but restricting every folder in the path up to it to specific types seems excessive. I'm not quite sure of the syntax, but something like: allow mozilla_plugin_t file_type:dir search; We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. |