Bug 495241
Summary: | (staff_u) SELinux is preventing the firefox from using potentially mislabeled files (dbusnotify.py). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
Component: | firefox | Assignee: | Gecko Maintainer <gecko-bugs-nobody> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dwalsh, gecko-bugs-nobody, mcepl, walters |
Target Milestone: | --- | Keywords: | Reopened, SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-04-14 15:00:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2009-04-10 17:27:25 UTC
This looks like firefox is trying to execute a python file in your home directory under .mozilla? This should be allowed by current Rawhide policy if you are allowing content to be executed in your home dir. selinux-policy-3.6.12-2.fc11.noarch allow_staff_exec_content --> on (In reply to comment #1) > This looks like firefox is trying to execute a python file in your home > directory under .mozilla? > > This should be allowed by current Rawhide policy if you are allowing content > to be executed in your home dir. > > selinux-policy-3.6.12-2.fc11.noarch > > allow_staff_exec_content --> on Except, I have allow_staff_exec_content on. But also I have some crashes on /var (using BTRFS), could it be related? audit2allow -w -i /tmp/t node=viklef.ceplovi.cz type=AVC msg=audit(1239178310.656:45): avc: denied { execute } for pid=3918 comm="firefox" name="dbusnotify.py" dev=dm-6 ino=737596 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:mozilla_home_t:s0 tclass=file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. rpm -q selinux-policy selinux-policy-3.6.12-3.fc11.noarch # setsebool -P allow_staff_exec_content=0 # audit2allow -w -i /tmp/t node=viklef.ceplovi.cz type=AVC msg=audit(1239178310.656:45): avc: denied { execute } for pid=3918 comm="firefox" name="dbusnotify.py" dev=dm-6 ino=737596 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:mozilla_home_t:s0 tclass=file Was caused by: The boolean allow_staff_exec_content was set incorrectly. Description: allow_staff_exec_content Allow access by executing: # setsebool -P allow_staff_exec_content 1 sh-4.0# I think you need to update your policy. I don't think the btrfs problem is related. |