Bug 732841
| Summary: | SELinux prevented "totem-plugin-viewer" read write on 'card0' | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Kho <rh-bugzilla> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-11-21 23:06:16 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Hi,
Huh?
After updating selinux to version -20 and start a video (using totem-mozplugin) I get the following AVC in audit.log:
type=AVC msg=audit(1313585630.271:763): avc: denied { read } for pid=12277 comm="kde4-config" name="config" dev=sda6 ino=9779 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_usr_t:s0 tclass=dir
In the current policy, it seems, the following dontaudit rules exists: "allow mozilla_plugin_t config_usr_t:dir { getattr search };"
I don't know if this AVC is relevant?
Martin Kho
You can turn the transition off setsebool -P unconfined_mozilla_plugin_transition 0 And then restart firefox. I will add the reading of the config_usr_t. I am not so sure about adding read write of the dri_device_t. You could build a custom policy of your own to allow this. grep mozilla_plugin_t /var/log/audit/audit.log | audit2allow -M mymozillaplugin semodule -i mymozillaplugin.pp Hi Daniel,
Turning the transition off didn't help. I got the socket[1] issue back. Next I created a custom policy. That worked, of course :-) Then I disabled the following allow rule in the .te file:
# allow mozilla_plugin_t dri_device_t:chr_file { read write }
rebuild the policy manually and reloaded it into the kernel.
Totem-mozplugin worked as expected. So read write of the dri_device_t seems to be unnecessary.
For your reference, I' ll upload the .te file.
Martin Kho
[1] https://bugzilla.redhat.com/show_bug.cgi?id=729707
Created attachment 519599 [details]
mymozillaplugin module
Hi, I'm running F16 now and haven't seen this issue. So this report can be closed, I suppose, Thanks, Martin Kho Hi, Final I mean :-) Martin Kho |
Description of problem: In KDE SELinux is preventing totem-mozplugin from running in Firefox. After running semodule -DB in /var/log/audit/audit.log the following AVC appears: type=AVC msg=audit(1313518827.157:516): avc: denied { read write } for pid=2189 comm="totem-plugin-vi" name="card0" dev=devtmpfs ino=8261 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file Version-Release number of selected component (if applicable): selinux-policy-3.10.0-18.fc16.noarch How reproducible: always Steps to Reproduce: 1. Start a video in Firefox that uses totem-mozplugin 2. Video wont start 3. Actual results: The plugin doesn't start Expected results: The plugin starts Additional info: