Bug 711605

Summary: gecko-mediaplayer is blocked by selinux with xguest and firefox
Product: [Fedora] Fedora Reporter: jhgmvi
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, gecko-bugs-nobody, mcepl, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-32.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-08 18:10:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Custom selinux module to enable gecko media player with xguest
none
Custom selinux module to enable gecko media player with xguest
none
AVCs denial when using gecko-mediaplayer none

Description jhgmvi 2011-06-07 21:02:52 UTC 
Description of problem:
The gecko-mediaplayer plugin crash when used with firefox and xguest.

Version-Release number of selected component (if applicable):
xguest.noarch                        1.0.9-4.fc15
gecko-mediaplayer.i686                1.0.3-2.fc15  
firefox.i686                    4.0.1-2.fc15
selinux-policy.noarch                       3.9.16-26.fc15              
selinux-policy-targeted.noarch              3.9.16-26.fc15
gnome-mplayer-common.i686    1.0.3-1.fc15                        
gnome-mplayer-minimal.i686   1.0.3-1.fc15                      
mplayer.i686                 1.0-0.123.20110412svn.fc15  
mplayer-common.i686          1.0-0.123.20110412svn.fc15 

How reproducible:
Always, just need to play an mp3 from firefox.


Steps to Reproduce:
1.
2.
3.
  
Actual results:
Plugin crash

Expected results:


Additional info:

The plugin works flawlessly with an unconfined user.

# getsebool -a | grep xguest
allow_xguest_exec_content --> on
xguest_connect_network --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on

Here is the relevant line from /var/log/audit.log
type=AVC msg=audit(1307467526.905:66): avc:  denied  { write } for  pid=1635 comm="gnome-mplayer-m" name=".pulse-cookie" dev=tmpfs ino=83836 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1307467526.905:66): arch=40000003 syscall=5 success=yes exit=8 a0=8dcdb68 a1=8142 a2=180 a3=0 items=0 ppid=1 pid=1635 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=2 comm="gnome-mplayer-m" exe="/usr/bin/gnome-mplayer-minimal" subj=xguest_u:xguest_r:mozilla_plugin_t:s0 key=(null)
type=AVC msg=audit(1307467526.912:67): avc:  denied  { setattr } for  pid=1635 comm="gnome-mplayer-m" name=".pulse" dev=tmpfs ino=83840 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1307467526.912:67): arch=40000003 syscall=207 success=yes exit=0 a0=7 a1=1f5 a2=1f5 a3=8dd30e0 items=0 ppid=1 pid=1635 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=2 comm="gnome-mplayer-m" exe="/usr/bin/gnome-mplayer-minimal" subj=xguest_u:xguest_r:mozilla_plugin_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1307467528.761:68): auid=501 uid=501 gid=501 ses=2 subj=xguest_u:xguest_r:mozilla_plugin_t:s0 pid=1635 comm="gnome-mplayer-m" sig=6

audit2allow does not help, it need to be run a few times before there is no more log in audit.log. I end up with a few line in a custom module which does not seem to be the right solution  and the plugin still crash.

Line suggested by audit2allow:

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t user_home_t:file write;
allow mozilla_plugin_t user_home_t:dir { create setattr};
allow mozilla_plugin_t mencoder_exec_t:file { read execute open execute_no_trans };
allow mozilla_plugin_t user_home_dir_t:file { read write create open lock };
allow mozilla_plugin_t nsplugin_home_t:lnk_file create;
allow mozilla_plugin_t bluetooth_t:dbus send_msg;
allow mozilla_plugin_t consolekit_t:dbus send_msg;
allow mozilla_plugin_t rtkit_daemon_t:dbus send_msg;
allow mozilla_plugin_t self:process setrlimit;
allow mozilla_plugin_t self:unix_dgram_socket sendto;
allow mozilla_plugin_t udev_var_run_t:file { read getattr open };
allow mozilla_plugin_t mozilla_plugin_tmp_t:sock_file { create setattr write };

#============= pulseaudio_t ==============
allow pulseaudio_t mozilla_plugin_tmpfs_t:file { read getattr open unlink};

#============= xguest_t ==============
allow xguest_t mozilla_plugin_tmpfs_t:file { read unlink open };
allow xguest_t user_home_dir_t:file { read write open lock };

#============= rtkit_daemon_t ==============
allow rtkit_daemon_t mozilla_plugin_t:dbus send_msg;
allow rtkit_daemon_t mozilla_plugin_t:process setsched;

#============= bluetooth_t ==============
allow bluetooth_t mozilla_plugin_t:dbus send_msg;

#============= consolekit_t ==============
allow consolekit_t mozilla_plugin_t:dbus send_msg;
Comment 1 Matěj Cepl 2011-06-07 21:44:37 UTC 
Sorry,

gecko-mediaplayer.x86_64               1.0.3-2.fc15     rpmfusion-free          
gecko-mediaplayer-debuginfo.x86_64     1.0.3-2.fc15     rpmfusion-free-debuginfo

this is not a package provided by the Fedora project. Reassigning to SELinux component for decision of its developers whether they want to deal with it.
Comment 2 Dominick Grift 2011-06-07 22:05:44 UTC 
(In reply to comment #0)

> allow pulseaudio_t mozilla_plugin_tmpfs_t:file { read getattr open unlink};
> allow xguest_t mozilla_plugin_tmpfs_t:file { read unlink open };

These two i recently fixed for rawhide:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=40dd0ee854b098784e7e3f54f11f879bcbbb17b4

As for the other stuff:

I think there is some labelling issue, as pulse-cookie should not be user_home_t is suspect.

matchpathcon /home/dgrift/.pulse-cookie
/home/dgrift/.pulse-cookie      staff_u:object_r:pulseaudio_home_t:s0

Do we have restorecond -u enabled for xguest?

As for the other stuff i am not sure if we want to allow all that, but in theory i guess it could be done. I will leave that decision to others.
Comment 3 Miroslav Grepl 2011-06-08 10:17:16 UTC 
jhgmvi,
did you try it also in permissive mode?
Comment 4 jhgmvi 2011-06-10 14:19:40 UTC 
(In reply to comment #3)
> jhgmvi,
> did you try it also in permissive mode?

Yes I swithed to permissive mode after loging in with xguest, it didn't work in permissive mode as well.
I can't retest before a few ddays but i think there wasn't any log in audit.log.
Comment 5 jhgmvi 2011-06-10 14:29:57 UTC 
(In reply to comment #2)
> (In reply to comment #0)
> 
> > allow pulseaudio_t mozilla_plugin_tmpfs_t:file { read getattr open unlink};
> > allow xguest_t mozilla_plugin_tmpfs_t:file { read unlink open };
> 
> These two i recently fixed for rawhide:
> 
> http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=40dd0ee854b098784e7e3f54f11f879bcbbb17b4
> 
> As for the other stuff:
> 
> I think there is some labelling issue, as pulse-cookie should not be
> user_home_t is suspect.
> 
> matchpathcon /home/dgrift/.pulse-cookie
> /home/dgrift/.pulse-cookie      staff_u:object_r:pulseaudio_home_t:s0
> 
> Do we have restorecond -u enabled for xguest?
> 
> As for the other stuff i am not sure if we want to allow all that, but in
> theory i guess it could be done. I will leave that decision to others.

No restorecond -u wasn't enabled, I tried with it enabled still didn't work. But you were right .pulse-cookie had the wrong type and it's fixed by restorecond.
I didn't try with your new rules yet, is it safe to use the rpm from rawhide on fc15 or should I make a custome module ?
I'll send the audit.log when I'll be able to retest in a few days.
Comment 6 Dominick Grift 2011-06-10 14:36:10 UTC 
(In reply to comment #5)
> I didn't try with your new rules yet, is it safe to use the rpm from rawhide on

No you cannot use rawhide policy in F15. Mgrepl may be able to back port some related changes though.

If your app does not work in permissive mode, though, then there may be a problem with the app. It does not make much sense in that case to analyze some of the AVC denials more specific to the app when it is broken.

So i advice that you first try to make the app work in permissive mode, and if/and when you got it to work in permissive mode, that you enclose the raw AVC denials that you get when testing in permissive mode.
Comment 7 jhgmvi 2011-06-10 22:59:43 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > I didn't try with your new rules yet, is it safe to use the rpm from rawhide on
> 
> No you cannot use rawhide policy in F15. Mgrepl may be able to back port some
> related changes though.
> 
> If your app does not work in permissive mode, though, then there may be a
> problem with the app. It does not make much sense in that case to analyze some
> of the AVC denials more specific to the app when it is broken.
> 
> So i advice that you first try to make the app work in permissive mode, and
> if/and when you got it to work in permissive mode, that you enclose the raw AVC
> denials that you get when testing in permissive mode.

Ok I manage to get a fedora 15 machine earlier than expected.
It works in permissive mode now, I was quite sure it wasn't at least without restorecond but I've made so many test ...
I've made a custom module with all the AVC in audit.log, the file is attached: xguestlocal.te. Only part of the AVC where logged in permissive mode, the other where logged only in enforcing mode. With this module there is no more avc either in permissive or enforcing mode. I have no idea what to do next...
I'm not sure either that some of the rule in this custom module are not security breach.
Comment 8 jhgmvi 2011-06-10 23:03:14 UTC 
Created attachment 504217 [details]
Custom selinux module to enable gecko media player with xguest

Does not work ...
Comment 9 Dominick Grift 2011-06-11 08:37:15 UTC 
You may be overlooking some AVC denials, Sometimes some go to /var/log/messages. It can also be that you may need to unload hidden denials with semodule -DB to expose hidden denials.

1. run semodule DB
2. run setenforce 0
3. test your app and confirm that it works in permissive mode
4. grep -i /var/log/messange, /var/log/audit/audit.log and dmesg for "AVC" and enclose the raw avc denials.
5. run semodule -B
6 run setenforce 1
Comment 10 jhgmvi 2011-06-14 08:50:33 UTC 
(In reply to comment #9)
> You may be overlooking some AVC denials, Sometimes some go to
> /var/log/messages. It can also be that you may need to unload hidden denials
> with semodule -DB to expose hidden denials.
> 
> 1. run semodule DB
> 2. run setenforce 0
> 3. test your app and confirm that it works in permissive mode
> 4. grep -i /var/log/messange, /var/log/audit/audit.log and dmesg for "AVC" and
> enclose the raw avc denials.
> 5. run semodule -B
> 6 run setenforce 1

It's working ! Thanks a lot for your help. You were right there was a last  AVC denial in /var/log/messages.
Btw I find it confusing not to have all AVCs logged into audit.log.
Finally I end up with the custom module in attachment, It would need to be review by an selinux expert for security.

To sum-up for those interested, if you want to run gecko-mediaplayer with xguest user in fedora 15:
1. ensure your user is running restorecond -u
2. install the attached module:
checkmodule -M -m -o xguestlocal.mod xguestlocal.te
semodule_package -o xguestlocal.pp -m xguestlocal.mod
semodule -i xguestlocal.pp
Comment 11 jhgmvi 2011-06-14 08:52:50 UTC 
Created attachment 504626 [details]
Custom selinux module to enable gecko media player with xguest

No security guarantee, need to be reviewed by an selinux expert
Comment 12 Dominick Grift 2011-06-14 15:56:51 UTC 
Could you also enclose the raw avc denials please. There are some questionable access vectors that i would like to learn a bit more about.
Comment 13 jhgmvi 2011-06-16 19:10:23 UTC 
Created attachment 505131 [details]
AVCs denial when using gecko-mediaplayer

AVCs denials from audit.log and messages.log used to build the custom module
Comment 14 Dominick Grift 2011-06-16 19:55:45 UTC 
I added most of the required changes to master branch:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=1021bec5b45f98514c4c4ef9cccc92d8fbfc0820

Some AVC denials are due to a bug in liborc (which should be fixed soon i hope)
Some other AVC denials were related to a fix i commited earlier to master branch but that seem to have not made it yet into your branch.
Comment 15 jhgmvi 2011-06-17 07:04:56 UTC 
(In reply to comment #14)
> I added most of the required changes to master branch:
> 
> http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=1021bec5b45f98514c4c4ef9cccc92d8fbfc0820
> 
> Some AVC denials are due to a bug in liborc (which should be fixed soon i hope)
> Some other AVC denials were related to a fix i commited earlier to master
> branch but that seem to have not made it yet into your branch.

Ok. Does that mean that all bug fix will come through an update in Fedora 15 or will it be only in 16 ?
How will I know wich update fix this issue ?
Comment 16 Miroslav Grepl 2011-06-20 07:55:16 UTC 
Fixed in selinux-policy-3.9.16-30.fc15.
Comment 17 jhgmvi 2011-06-29 21:45:34 UTC 
(In reply to comment #16)
> Fixed in selinux-policy-3.9.16-30.fc15.

The gecko-mediaplayer plugin still crash with  selinux-policy-3.9.16-30.
However the custom module needed to make it work is much simpler:

#============= mozilla_plugin_t ==============

allow mozilla_plugin_t user_home_dir_t:file { write execute read create unlink open };
allow mozilla_plugin_t user_home_t:file { write execute unlink };
allow mozilla_plugin_t xguest_dbusd_t:dbus acquire_svc;

#============= pulseaudio_t ==============
allow pulseaudio_t mozilla_plugin_tmpfs_t:file { read open getattr unlink };

#============= xguest_t ==============
allow xguest_t mozilla_plugin_tmpfs_t:file read;
Comment 18 Dominick Grift 2011-06-29 21:50:52 UTC 
(In reply to comment #17)
> 
> #============= mozilla_plugin_t ==============
> 
> allow mozilla_plugin_t user_home_dir_t:file { write execute read create unlink
> open };

this i believe is caused by a bug in orc. So allowing it wouldnt be a good idea in my view

> allow mozilla_plugin_t user_home_t:file { write execute unlink };

this looks unfamiliar to me. (can you enclose raw avc denial of this?)

> allow mozilla_plugin_t xguest_dbusd_t:dbus acquire_svc;

In theory this should have been allowed. Not sure why i didnt work.

> 
> #============= pulseaudio_t ==============
> allow pulseaudio_t mozilla_plugin_tmpfs_t:file { read open getattr unlink };

This was fixed in rawhide but probably not backported to f15?

> 
> #============= xguest_t ==============
> allow xguest_t mozilla_plugin_tmpfs_t:file read;

Not sure about this
Comment 19 Dominick Grift 2011-06-29 21:54:26 UTC 
(In reply to comment #18)

> > 
> > #============= xguest_t ==============
> > allow xguest_t mozilla_plugin_tmpfs_t:file read;
> 
> Not sure about this

Actually this is also fixed in rawhide but the fix is not backported to f15

in rawhide mozilla_plugin_tmpfs_t is a user_tmpfs_file ( and users have file access to user_tmpfs_file )
Comment 20 Miroslav Grepl 2011-06-30 10:50:06 UTC 
Added to selinux-policy-3.9.16-31.fc15
Comment 21 Fedora Update System 2011-06-30 15:58:51 UTC 
selinux-policy-3.9.16-31.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-31.fc15
Comment 22 Fedora Update System 2011-07-01 18:55:19 UTC 
Package selinux-policy-3.9.16-32.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-32.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-32.fc15
then log in and leave karma (feedback).
Comment 23 jhgmvi 2011-07-06 20:03:33 UTC 
> 
> > allow mozilla_plugin_t user_home_t:file { write execute unlink };
> 
> this looks unfamiliar to me. (can you enclose raw avc denial of this?)
> 
The relevant AVC below:

type=AVC msg=audit(1307742556.163:160): avc:  denied  { unlink } for  pid=3208 comm="gst-plugin-scan" name="orcexec.flz5w6" dev=tmpfs ino=39089 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1307742556.163:161): avc:  denied  { write } for  pid=3208 comm="gst-plugin-scan" name="orcexec.flz5w6" dev=tmpfs ino=39089 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1307742556.163:162): avc:  denied  { execute } for  pid=3208 comm="gst-plugin-scan" path=2F686F6D652F7867756573742F6F7263657865632E666C7A357736202864656C6574656429 dev=tmpfs ino=39089 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_t:s0 tclass=file
Comment 24 Dominick Grift 2011-07-06 20:10:33 UTC 
O right, thats also that same bug in liborc. It should be putting these files in /tmp. I expect a fix for this to hit the repositories soon.
Comment 25 jhgmvi 2011-07-06 20:50:45 UTC 
(In reply to comment #22)
> Package selinux-policy-3.9.16-32.fc15:
> * should fix your issue,

selinux-policy-3.9.16-32.fc15 fix the issue, gecko-mediaplayer no longer crash but there is still some AVC which do not prevent the plugin to run. AVC below:

type=AVC msg=audit(1309984265.452:76): avc:  denied  { create } for  pid=1578 comm="gst-plugin-scan" name="orcexec.NmnMHu" scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1309984265.452:76): avc:  denied  { read write open } for  pid=1578 comm="gst-plugin-scan" name="orcexec.NmnMHu" dev=tmpfs ino=20900 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1309984265.477:77): avc:  denied  { unlink } for  pid=1578 comm="gst-plugin-scan" name="orcexec.NmnMHu" dev=tmpfs ino=20900 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1309984265.477:78): avc:  denied  { execute } for  pid=1578 comm="gst-plugin-scan" path=2F686F6D652F7867756573742F6F7263657865632E4E6D6E4D4875202864656C6574656429 dev=tmpfs ino=20900 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0 tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1309984276.515:82): avc:  denied  { write } for  pid=1412 comm="gconfd-2" name="linc-629-0-777d80ba7dcf7" dev=tmpfs ino=20995 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:object_r:mozilla_plugin_tmp_t:s0 tclass=sock_file
Comment 26 Dominick Grift 2011-07-06 21:03:23 UTC 
(In reply to comment #25)
> (In reply to comment #22)
> > Package selinux-policy-3.9.16-32.fc15:
> > * should fix your issue,
> 
> selinux-policy-3.9.16-32.fc15 fix the issue, gecko-mediaplayer no longer crash
> but there is still some AVC which do not prevent the plugin to run. AVC below:
> 
> type=AVC msg=audit(1309984265.452:76): avc:  denied  { create } for  pid=1578
> comm="gst-plugin-scan" name="orcexec.NmnMHu"
> scontext=xguest_u:xguest_r:mozilla_plugin_t:s0
> tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file
> type=AVC msg=audit(1309984265.452:76): avc:  denied  { read write open } for 
> pid=1578 comm="gst-plugin-scan" name="orcexec.NmnMHu" dev=tmpfs ino=20900
> scontext=xguest_u:xguest_r:mozilla_plugin_t:s0
> tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file
> type=AVC msg=audit(1309984265.477:77): avc:  denied  { unlink } for  pid=1578
> comm="gst-plugin-scan" name="orcexec.NmnMHu" dev=tmpfs ino=20900
> scontext=xguest_u:xguest_r:mozilla_plugin_t:s0
> tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file
> type=AVC msg=audit(1309984265.477:78): avc:  denied  { execute } for  pid=1578
> comm="gst-plugin-scan"
> path=2F686F6D652F7867756573742F6F7263657865632E4E6D6E4D4875202864656C6574656429
> dev=tmpfs ino=20900 scontext=xguest_u:xguest_r:mozilla_plugin_t:s0
> tcontext=xguest_u:object_r:user_home_dir_t:s0 tclass=file

The above avc denials are all due to a bug in liborc. selinux-policy cannot fix it must be fixed in package liborc

> type=AVC msg=audit(1309984276.515:82): avc:  denied  { write } for  pid=1412
> comm="gconfd-2" name="linc-629-0-777d80ba7dcf7" dev=tmpfs ino=20995
> scontext=xguest_u:xguest_r:xguest_t:s0
> tcontext=xguest_u:object_r:mozilla_plugin_tmp_t:s0 tclass=sock_file

This should be fixed though its stream connecting to gconf but since mozilla plugin seems to create its gconf socket with type mozilla_plugin_tmp_t, only the write_sock_file_perms needs to be allowed , the connectto part (guest_t self:unix_stream_socket connectto;) is already allowed obviously.
Comment 27 Dominick Grift 2011-07-06 21:28:35 UTC 
err i meant this is already there in mozilla_run_plugin:

- allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };

(not sure where the rw_socket_perms are for)

+ stream_connect_pattern($1, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_t)
Comment 28 Dominick Grift 2011-07-06 21:43:56 UTC 
fixed that issue here:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=ea889ac720a4fddde6d8376cb5dc9336d14e867e
Comment 29 Dominick Grift 2011-07-06 21:48:43 UTC 
Darn that actually isnt really needed because that is supposed to be a user_tmp_file which users can manage...
Comment 30 Fedora Update System 2011-07-08 18:09:35 UTC 
selinux-policy-3.9.16-32.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.