Bug 729707
| Summary: | SELinux is 'blocking' Firefox's plugin-container | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Kho <rh-bugzilla> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.10.0-18.fc16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-08-23 20:25:48 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Martin Kho
2011-08-10 15:17:28 UTC
Are you seeing any AVC messagees? Hi Daniel, Sorry, forgot to mention. There are no messages in /var/log/audit/audit.log. That's really strange with this issue. Martin Kho Try to execute # semodule -DB and re-test it. Hi Miroslav, Sorry, but no success ;-( What I did: 1. change SELINUX=permissive to enforcing 2. reboot 3. run semodule -DB 4. run Firefox and go to arstechnica,com 5. reboot 6. run again Firefox and go to arstechnica.com Martin Kho We are looking for the AVC messages related to running firefox with dontaudit rules disabled. semodule -DB Will disable dontaudit rules. No reboot required. semodule -B Will turn them back on. Hi Daniel,
dmesg shows the following avc's:
[ 223.361862] type=1400 audit(1313077457.220:269): avc: denied { write } for pid=1604 comm="plugin-containe" path="/home/martin/.xsession-errors" dev=sda6 ino=262178 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file
[ 223.362231] type=1400 audit(1313077457.220:270): avc: denied { write } for pid=1604 comm="plugin-containe" path="/home/martin/.xsession-errors" dev=sda6 ino=262178 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:xdm_home_t:s0 tclass=file
[ 223.362443] type=1400 audit(1313077457.221:271): avc: denied { read write } for pid=1604 comm="plugin-containe" path="socket:[27219]" dev=sockfs ino=27219 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
[ 223.362650] type=1400 audit(1313077457.221:272): avc: denied { read write } for pid=1604 comm="plugin-containe" path="socket:[27043]" dev=sockfs ino=27043 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
In /var/log/audit/audit.log appears nothing
Hope this helps,
Martin Kho
See if those fix your problem. # grep mozilla_plugin_t /var/log/audit/audit.log | grep stream | audit2allow -M mymozillaplugin # semodule -i mymozillaplugin.pp And then see if firefox works. The first command gives the following error: compilation failed: mymozillaplugin.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mymozillaplugin.te cat mymozillaplugin.te: module mymozillaplugin 1.0; Martin Kho Looks like it did not find any avcs. Hi, It looks like that after July 30 no messages are written to autid.log -rw-------. 1 root root 2381574 Jul 30 10:09 /var/log/audit/audit.log Any ideas about this? Hi, Found! systemd issue. I had to run systemctl enable auditd.service. After executing the commands from comment #7 Firefox works fine. Thanks, Martin Kho Fixed in selinux-policy-3.10.0-19.fc16 selinux-policy-3.10.0-18.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-18.fc16 Hi, Updated to 3.10.0-18 (comment 13), but it didn't solve the issue. May be I did something wrong. 1. I removed module mymozillaplugin (semodule -r <module>) 2. Updated selinx-policy[-targeted] 3. rebooted 4. run Firefox and went to arstechnica.com Martin Kho Note: I'll attach the mymozillaplugin.te file Created attachment 517896 [details]
mymozillaplugin.te
Package selinux-policy-3.10.0-18.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-18.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-18.fc16 then log in and leave karma (feedback). As I said it would be fixed in -19 not -18. Miroslav must have accidentally included this bug. Hi Daniel, Reading is also a competency :-) Sorry! Martin Kho selinux-policy-3.10.0-18.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. Hi, Version -18 didn't solve this issue, but -20 (from koji) did :-) Thanks, Martin Kho |