| Summary: | SELinux is preventing /usr/lib/firefox-3.6/firefox from 'read' accesses on the file pulse-shm-2393205026. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | cyrushmh <cyrusyzgtt> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:49e1e377a749eafca3a34d3d7decc36e747491a154c093c498c8b38c31f7cda4 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-16 14:50:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Could you add sandbox commands which you are trying to do? This looks like back to back sandbox apps, one using sandbox_net_t and then sandbox_web_t. Since the pulseaudio file was created in /dev/shm, the second sandboxed app is trying to access the first. Not sure the best way to fix this, other then maybe dontaudit and hope that pulseaudio does the right thing. cyrushmh, does it work for you? (In reply to comment #1) > Could you add sandbox commands which you are trying to do? $sandbox -X -w=800x640 -i ~/.mozilla -t sandbox_web_t firefox to use google search "online tv" then play then (In reply to comment #2) > This looks like back to back sandbox apps, one using sandbox_net_t and then > sandbox_web_t. Since the pulseaudio file was created in /dev/shm, the second > sandboxed app is trying to access the first. > > Not sure the best way to fix this, other then maybe dontaudit and hope that > pulseaudio does the right thing. yes ,before I try sandbox_net_t opera, but no info and autoexit (In reply to comment #3) > cyrushmh, > does it work for you? yes.,firefox work,but I change about:config something ,sometime no thing,when I reload ,then load & see So I think we can dontaudit it. Yes, since we do not want to allow it. |
SELinux is preventing /usr/lib/firefox-3.6/firefox from 'read' accesses on the file pulse-shm-2393205026. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that firefox should be allowed read access on the pulse-shm-2393205026 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep firefox /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:sandbox_web_client_t:s0: c134,c794 Target Context unconfined_u:object_r:sandbox_net_client_tmpfs_t:s 0:c193,c540 Target Objects pulse-shm-2393205026 [ file ] Source firefox Source Path /usr/lib/firefox-3.6/firefox Port <未知> Host (removed) Source RPM Packages pulseaudio-0.9.21-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux localhost.localdomain 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686 i686 Alert Count 2 First Seen 2011年02月21日 星期一 17时40分08秒 Last Seen 2011年02月21日 星期一 17时40分09秒 Local ID 3d83ee4d-7bf6-4e23-a1bd-a5d2c984da7a Raw Audit Messages type=AVC msg=audit(1298281209.312:261): avc: denied { read } for pid=22002 comm="pulseaudio" name="pulse-shm-2393205026" dev=tmpfs ino=6564024 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c134,c794 tcontext=unconfined_u:object_r:sandbox_net_client_tmpfs_t:s0:c193,c540 tclass=file type=SYSCALL msg=audit(1298281209.312:261): arch=i386 syscall=open success=no exit=EACCES a0=bffd2de0 a1=a0000 a2=0 a3=bffd2ecd items=0 ppid=22000 pid=22002 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=pulseaudio exe=/usr/bin/pulseaudio subj=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c134,c794 key=(null) Hash: firefox,sandbox_web_client_t,sandbox_net_client_tmpfs_t,file,read audit2allow #============= sandbox_web_client_t ============== allow sandbox_web_client_t sandbox_net_client_tmpfs_t:file read; audit2allow -R #============= sandbox_web_client_t ============== allow sandbox_web_client_t sandbox_net_client_tmpfs_t:file read;